How To Win Pwnium Chrome Security 101 Chrome Security Team Zürich, Switzerland

How To Win Pwnium
Chrome Security 101
ianbeer@chromium.org
Chrome Security Team
Zürich, Switzerland
Overview
● Architecture
● Getting In
○ Renderer Bugs
○ Use-after-Free Mitigations
● Getting Out
○ IPC
● The Future
Architecture
Filesystem
Network
Browser
Worker
GPU
Renderer
= sandboxed
= IPC
Renderer
Plugin
Architecture
Network
Filesystem
Browser
Plugin
Network
V8
Worker
GPU
OS
Renderer
Renderer
Plugin
OS
= sandboxed
= IPC
OS
OS
OS
Blink/V8 bindings primer
Blink heap
V8 heap
RefCounted
GC
A
V8_A
Blink Object
V8 Wrapper
Interface definition IDL
interface A {
attribute DOMString width;
}
= holds reference
Reference Cycles
A
B
D
= holds reference
C
Reference Cycles
1
A
2
B
1
D
= holds reference
1
C
Reference Cycles
0
A
2
B
1
D
= holds reference
1
C
Reference Cycles
1
B
1
D
= holds reference
1
C
Reference Cycles
A
B
D
= holds reference
= raw pointer
C
Reference Cycles
A
B
D
= holds reference
= raw pointer
C
Reference Cycles
WebCore::HTMLMediaElement
A
WebCore::MediaSource
B
WebCore::SourceBuffer
D
C
WebCore::SourceBufferList
= holds reference
= raw pointer
http://scarybeastsecurity.blogspot.
com/2013/02/exploiting-64-bit-linux-like-boss.html
Mitigating UaF (some of the time)
Blink heap
V8 heap
RefCounted
GC
A
V8_A
B
V8_Uint8Array
= holds reference
= raw pointer
Mitigating UaF (some of the time)
Blink heap
V8 heap
RefCounted
GC
A
B
V8_A
V8_B
V8_Uint8Array
= holds reference
= raw pointer
Mitigating UaF (some of the time)
Blink heap
V8 heap
RefCounted
GC
A
B
= holds reference
= raw pointer
V8_A
Partition Alloc
Conditions for object allocation in this region:
● Type is derived from same base
● Size equal
VM region never reused outside partition
Current status:
dev channel
Partitioned:
● DOM
● RenderObject
● ArrayBuffer
● String, Vector,
Hashtable
Unpartitioned:
● ScriptWrappables not under Node
● everything else
Mitigating UaF (some of the time)
Blink heap
V8 heap
RefCounted
GC
A
B
V8_A
Pointer really
points to a B?
Probably
V8_B
= holds reference
= raw or type-confused pointer
No
CRASH
IPC - Overview
Browser
Deserialize Parameters
Socket or Named Pipe
Locate Target
Invoke OnMessageReceived(...)
Renderer
Send
Serialize Parameters
new IPC::Message
= sandboxed
= IPC
IPC Bugs
Unchecked enums:
content_accessed_[type] = true;
crbug.com/169770
Unchecked map keys:
some_map[key]->second.some_method();
Complex State Machines:
https://src.chromium.
org/viewvc/chrome?
revision=206130&view=revision
https://src.chromium.org/viewvc/chrome?revision=203389&view=revision
Path Traversal:
https://codereview.chromium.org/12212091
Race Conditions:
crbug.com/121726
Integer Overflow:
crbug.com/169685
Logic bugs:
crbug.com/162114
WebUI bindings
Browser
ChildProcessSecurityPolicy
chrome.send(“openFile”, [“1”]);
chrome://history
chrome://downloads
The Future?
● More NaCl
● More partitions
● More runtime memory-safety checking
● Continue reducing kernel attack surface
● Eliminate bug classes
● Site Isolation
● Rewrite in ________?
Finally:
https://code.google.com/p/chromium/codesearch
Cross-referencing code explorer for chromium
It’s awesome