2024-10-23 –, Vianden & Wiltz
Many Chrome exploits can lead to execution of remote code and most of these exploits started out with a vulnerability in V8. So, many Experts dive into bug bounty to find potentially exploitable vulnerabilities. But, there is a significant lack of publicly available analysis guides for beginners to start, and it is challenging to analyze the technical meanings using only documents.
We will share the detailed steps needed for beginners who have yet to experience about V8 exploits. First, we describe the detailed structure (memory, object, etc.) and mechanism. Furthermore, we explore bugs via d8 debugger and explain step-by-step how to write exploit code.
The audience will have the opportunity to learn and experience V8 exploit techniques by not only studying the theory but also analyzing the V8 engine through hands-on training. The hands-on training will be conducted through our VDI environment, therefore the audience can access and enjoy it freely with their personal laptops without setting up a practice environment.
※ The audience will be able to enjoy interesting and valuable training in a comfortable practice environment.
We hope that this workshop will encourage many beginners to dive into V8 vulnerability research.
Section 1. About V8 Engine
The first section focuses on the basic theories necessary to analyze vulnerabilities in V8 and perform exploits. V8 is one of the JavaScript engines and uses a JIT compiler. We talk about the JIT compiler and then explain the V8 compiler mechanism including the newest compiler, Maglev.
Section 2. Let’s Debug
The second section details how to debug V8 Engine using d8 in the provided VDI environment. We explain the memory structure of V8, the role and operation of the GC (Garbage Collection), and analyze V8 objects via d8. Through this section, the audience will be able to understand the object structure and learn basic V8 debugging techniques.
Section 3. Exploiting in V8
In the third section, we exploit V8 after analyzing a bug that was found in V8.
First, we analyze a bug that was found in V8 and perform PoC (Proof of Concept). Then we examine the optimization process via Turbolizer and analyze in detail the point where the bug occurs.
We provide a detailed step-by-step explanation of the exploitation process. Then we create an OOB array using a bug and bypass the V8 sandbox to read/write to arbitrary memory.
Eventually, this leads to modifying the RIP to jump to an arbitrary address and executing shellcode.
[Requirements]
- We provide virtual environments for practice (only need a personal laptop)
- Experience using GDB for debugging
- Basic JavaScript knowledge
- Interest in Browser Exploits
The team leader of EQST Lab in SK Shieldus,
Executive Manager of the Ransomware Response Center (KARA-Korean Anti Ransomware Alliance)
- Researching on new vulnerabilities and Identifying of Cybersecurity Trends
- Managing Cybersecurity Consulting Projects
- Delivered Various presentations on attack threats and ransomware trends
- https://x.com/EQSTLab
- https://www.skshieldus.com/eng/business/insight.do