Breaking the Chrome Sandbox with Mojo

Presented at Black Hat USA 2022, Aug. 10, 2022, 4:20 p.m. (40 minutes).

If you manage to exploit a Chrome renderer vulnerability, you find yourself in a tight sandbox. Access to OS resources like the file system are greatly restricted and site isolation still enforces the web security guarantees. To allow such strong restrictions, various IPC services provide required functionality to the renderer process which themselves can become a target for sandbox escapes.

In this talk, we will take a look at Mojo, the IPC framework in Chrome. I will explain the protocol's inner workings using three logic bugs as examples. Finally, we're going to write a reliable exploit for a seemingly impossible race condition.

Presenters:

• Stephen Röttger - Software Engineer, Google
  Stephen Röttger (@_tsuro) is interested in browser security, hardware vulnerability research and CTF competitions. Stephen is working in the v8 security team at Google.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#breaking-the-chrome-sandbox-with-mojo-27120

Similar Presentations:

• Black Hat Europe 2019 / Site Isolation: Confining Untrustworthy Code in the Web Browser
• Black Hat USA 2022 / Another Way to Talk with Browser: Exploiting Chrome at Network Layer
• Black Hat Europe 2020 Virtual / Shield with Hole: New Security Mitigation Helps Us Escape Chrome Sandbox to Exfiltrate User Privacy