OR'LYEH? The Shadow over Firefox

Presented at Summercon 2015, July 18, 2015, noon (50 minutes)

The Mozilla Firefox browser has a new garbage collection (GC) implementation for its JavaScript engine (SpiderMonkey) since version 32. This new GC algorithm has introduced significant changes to the way that Firefox's heap is organized. The GC heap is now divided into two layers; a first layer for short-lived objects, called the 'nursery', and a second layer for objects that survived a GC pass in the nursery, called the 'tenured' heap. Apart from these two, the latest version of Firefox continues to use jemalloc (on all its supported platforms) for SpiderMonkey metadata and GC heap objects that fit certain criteria. These changes directly affect the way that the browser's heap can be manipulated towards states that aid in the exploitation of heap vulnerabilities. In this talk we will expand upon previous work we have published on jemalloc heap exploitation approaches and primitives for Firefox, taking into account its new GC heap implementation. The presentation will demonstrate a major upgrade of our 'unmask_jemalloc' Firefox heap exploration utility with new features, and support for Windows (and the WinDbg debugger). The new version of unmask_jemalloc, named 'shadow', will be released as open source along with the talk.


  • Patroklos Argyroudis
    Patroklos Argyroudis is a computer security researcher at CENSUS S.A., a company that builds on strong research foundations to offer specialized IT security services to customers worldwide. His main expertise is vulnerability research, exploit development, reverse engineering, and source code auditing. Patroklos has presented his research at several international security conferences (Black Hat USA and EU, Infiltrate, PH-Neutral, ZeroNights, etc) on topics such as kernel and heap exploitation, kernel protection technologies, and network security protocols. He holds a PhD from Trinity College Dublin, where he has also worked as a postdoctoral researcher on applied cryptography.


Similar Presentations: