How To Win Pwnium Chrome Security 101 ianbeer@chromium.org Chrome Security Team Zürich, Switzerland Overview ● Architecture ● Getting In ○ Renderer Bugs ○ Use-after-Free Mitigations ● Getting Out ○ IPC ● The Future Architecture Filesystem Network Browser Worker GPU Renderer = sandboxed = IPC Renderer Plugin Architecture Network Filesystem Browser Plugin Network V8 Worker GPU OS Renderer Renderer Plugin OS = sandboxed = IPC OS OS OS Blink/V8 bindings primer Blink heap V8 heap RefCounted GC A V8_A Blink Object V8 Wrapper Interface definition IDL interface A { attribute DOMString width; } = holds reference Reference Cycles A B D = holds reference C Reference Cycles 1 A 2 B 1 D = holds reference 1 C Reference Cycles 0 A 2 B 1 D = holds reference 1 C Reference Cycles 1 B 1 D = holds reference 1 C Reference Cycles A B D = holds reference = raw pointer C Reference Cycles A B D = holds reference = raw pointer C Reference Cycles WebCore::HTMLMediaElement A WebCore::MediaSource B WebCore::SourceBuffer D C WebCore::SourceBufferList = holds reference = raw pointer http://scarybeastsecurity.blogspot. com/2013/02/exploiting-64-bit-linux-like-boss.html Mitigating UaF (some of the time) Blink heap V8 heap RefCounted GC A V8_A B V8_Uint8Array = holds reference = raw pointer Mitigating UaF (some of the time) Blink heap V8 heap RefCounted GC A B V8_A V8_B V8_Uint8Array = holds reference = raw pointer Mitigating UaF (some of the time) Blink heap V8 heap RefCounted GC A B = holds reference = raw pointer V8_A Partition Alloc Conditions for object allocation in this region: ● Type is derived from same base ● Size equal VM region never reused outside partition Current status: dev channel Partitioned: ● DOM ● RenderObject ● ArrayBuffer ● String, Vector, Hashtable Unpartitioned: ● ScriptWrappables not under Node ● everything else Mitigating UaF (some of the time) Blink heap V8 heap RefCounted GC A B V8_A Pointer really points to a B? Probably V8_B = holds reference = raw or type-confused pointer No CRASH IPC - Overview Browser Deserialize Parameters Socket or Named Pipe Locate Target Invoke OnMessageReceived(...) Renderer Send Serialize Parameters new IPC::Message = sandboxed = IPC IPC Bugs Unchecked enums: content_accessed_[type] = true; crbug.com/169770 Unchecked map keys: some_map[key]->second.some_method(); Complex State Machines: https://src.chromium. org/viewvc/chrome? revision=206130&view=revision https://src.chromium.org/viewvc/chrome?revision=203389&view=revision Path Traversal: https://codereview.chromium.org/12212091 Race Conditions: crbug.com/121726 Integer Overflow: crbug.com/169685 Logic bugs: crbug.com/162114 WebUI bindings Browser ChildProcessSecurityPolicy chrome.send(“openFile”, [“1”]); chrome://history chrome://downloads The Future? ● More NaCl ● More partitions ● More runtime memory-safety checking ● Continue reducing kernel attack surface ● Eliminate bug classes ● Site Isolation ● Rewrite in ________? Finally: https://code.google.com/p/chromium/codesearch Cross-referencing code explorer for chromium It’s awesome
© Copyright 2024