a tale of chakra bugs through the years
play

A tale of Chakra bugs through the years Bruno Keith (@bkth_) SSTIC - PowerPoint PPT Presentation

Sep 25, 2022 •39 likes •889 views

A tale of Chakra bugs through the years Bruno Keith (@bkth_) SSTIC 2019 whoami 24, Independent Researcher, Navigating the jungle of French entrepreneurship CTF player since 2016 (ESPR), now retired due to ptmalloc2 PTSD Vuln research since

  1. A tale of Chakra bugs through the years Bruno Keith (@bkth_) SSTIC 2019

  2. whoami 24, Independent Researcher, Navigating the jungle of French entrepreneurship CTF player since 2016 (ESPR), now retired due to ptmalloc2 PTSD Vuln research since 2018 Pwn2Own 2019, Hack2Win eXtreme 2018 Focused on RCEs in browsers Write-ups at phoenhex.re

  3. Disclaimer This talk is from the perspective of someone who has spent a lot of time in the last year on Chakra As such, the talk will only look at Chakra but it applies broadly to all JavaScript engines

  4. Agenda 1. Introduction to JS engines and Chakra internals 2. Observable side-effect bugs a. In the interpreter b. In the JIT 3. JS exploitation in 10 minutes 4. Non-observable side-effect bugs 5. Component interaction bugs 6. Conclusion

  5. Introduction to JS Engines (shamelessly copied from my OffensiveCon talk)

  6. What makes up a JavaScript engine? ● Parser ● Interpreter ● Runtime ● Garbage Collector ● JIT compiler(s)

  7. What makes up a JavaScript engine? ● Parser Entrypoint, parses the source code and produces custom bytecode ● Interpreter ● Runtime ● Garbage Collector ● JIT compiler(s)

  8. What makes up a JavaScript engine? ● Parser ● Interpreter Virtual machine that processes and “executes” the bytecode ● Runtime ● Garbage Collector ● JIT compiler(s)

  9. What makes up a JavaScript engine? ● Parser ● Interpreter ● Runtime Basic data structures, standard library, builtins, etc. ● Garbage Collector ● JIT compiler(s)

  10. What makes up a JavaScript engine? ● Parser ● Interpreter ● Runtime ● Garbage Collector Freeing of dead objects ● JIT compiler(s)

  11. What makes up a JavaScript engine? ● Parser ● Interpreter ● Runtime ● Garbage Collector ● JIT compiler(s) Consumes the bytecode to produce optimized machine code

  12. Chakra

  13. What is Chakra JavaScript engine written by Microsoft and powering Edge (not for long anymore) Written in C++ Open-sourced on GitHub

  14. Representing JSValues NaN-boxing: trick to encode both value and some type information in 8 bytes Use the upper 17 bits of a 64 bits value to encode some type information var a = 0x41414141 represented as 0x0001000041414141 var b = 5.40900888e-315 represented as 0xfffc000041414141 Upper bits cleared => pointer to an object which represents the actual value

  15. Representing JSObjects JavaScript objects are basically a collection of key-value pairs called properties The object does not maintain its own map of property names to property values. The object only has the property values and a Type which describes that object’s layout. => Saves space by reusing that type across objects and allows for optimisations such as inline caching Bunch of different layouts for performance.

  16. Objects internal representation var a = {}; 0x00010000414141 0x00010000424242 a.x = 0x414141; a.y = 0x424242; __vfptr type auxSlots objectArray

  17. Objects internal representation var a = {x: 0x414141, y:0x424242}; stored with a layout called ObjectHeaderInlined __vfptr type 0x0001000000414141 0x0001000000424242 Object with this layout can transition to the previous layout

  18. Representing JSArrays ● Standard-defined as an exotic object having a “length” property defined ● Most engines implement basic and efficient optimisations for Arrays internally ● Chakra uses a segment-based implementation ● Three main classes to allow storage optimization: ○ JavascriptNativeIntArray ○ JavascriptNativeFloatArray ○ JavascriptArray

  19. Observable side-effects bugs Also called re-entrancy bugs

  20. Background JavaScript has a lot of ways to trigger callbacks Certain operations can be “observed” (i.e re-enter user code) For example, accessing a property can run user-defined code let a = {}; a.__defineGetter__('x', funtion() { print('hello'); }); a.x; // <= will print 'hello'

  21. Problematic programming pattern In the implementation of JS function, we can have the following pattern: 1. Fetch a value (length for example) or get an unprotected reference to an address or maybe check some condition 2. Execute some code 3. Use value fetched at 1 or assume checked condition is still met What if step 2 calls back into JavaScript and “invalidates” step 1? Has plagued the DOM for ages as well as JavaScript engines

  22. CVE-2016-3386 by Natashenka Spread operator allows to “flatten” arrays to use them as parameters: function add(a, b) { return a + b; } let arr = [1, 2]; add(arr[0], arr[1]); // can also be written as: add(...arr);

  23. CVE-2016-3386 by Natashenka // destArgs is a pre-allocated array for the result of the spread operator if (argsIndex + arr->GetLength() > destArgs.Info.Count) { AssertMsg(false, "The array length has changed since we allocated the destArgs buffer?"); Throw::FatalInternalError(); } for (uint32 j = 0; j < arr->GetLength(); j++) { Var element; if (!arr->DirectGetItemAtFull(j, &element)) { element = undefined; } destArgs.Values[argsIndex++] = element; }

  24. CVE-2016-3386 by Natashenka // destArgs is a pre-allocated array for the result of the spread operator if (argsIndex + arr->GetLength() > destArgs.Info.Count) { AssertMsg(false, "The array length has changed since we allocated the destArgs buffer?"); Throw::FatalInternalError(); } for (uint32 j = 0; j < arr->GetLength(); j++) { Var element; if (!arr->DirectGetItemAtFull(j, &element)) Check that the array is large enough { element = undefined; } destArgs.Values[argsIndex++] = element; }

  25. CVE-2016-3386 by Natashenka // destArgs is a pre-allocated array for the result of the spread operator if (argsIndex + arr->GetLength() > destArgs.Info.Count) { AssertMsg(false, "The array length has changed since we allocated the destArgs buffer?"); Throw::FatalInternalError(); } for (uint32 j = 0; j < arr->GetLength(); j++) { Var element; if (!arr->DirectGetItemAtFull(j, &element)) Set the destArgs array elements { element = undefined; } destArgs.Values[argsIndex++] = element; }

  26. CVE-2016-3386 by Natashenka // destArgs is a pre-allocated array for the result of the spread operator if (argsIndex + arr->GetLength() > destArgs.Info.Count) { AssertMsg(false, "The array length has changed since we allocated the destArgs buffer?"); Throw::FatalInternalError(); } for (uint32 j = 0; j < arr->GetLength(); j++) { Var element; if (!arr->DirectGetItemAtFull(j, &element)) Array length is re-fetched every iteration { element = undefined; } destArgs.Values[argsIndex++] = element; }

  27. CVE-2016-3386 by Natashenka // destArgs is a pre-allocated array for the result of the spread operator if (argsIndex + arr->GetLength() > destArgs.Info.Count) { AssertMsg(false, "The array length has changed since we allocated the destArgs buffer?"); Throw::FatalInternalError(); } for (uint32 j = 0; j < arr->GetLength(); j++) { Var element; if (!arr->DirectGetItemAtFull(j, &element)) Direct array access { element = undefined; } destArgs.Values[argsIndex++] = element; }

  28. CVE-2016-3386 by Natashenka // destArgs is a pre-allocated array for the result of the spread operator if (argsIndex + arr->GetLength() > destArgs.Info.Count) { AssertMsg(false, "The array length has changed since we allocated the destArgs buffer?"); Throw::FatalInternalError(); } for (uint32 j = 0; j < arr->GetLength(); j++) { Var element; if (!arr->DirectGetItemAtFull(j, &element)) This can call back into JavaScript!! { element = undefined; } destArgs.Values[argsIndex++] = element; }

  29. CVE-2016-3386 by Natashenka // destArgs is a pre-allocated array for the result of the spread operator if (argsIndex + arr->GetLength() > destArgs.Info.Count) { AssertMsg(false, "The array length has changed since we allocated the destArgs buffer?"); Throw::FatalInternalError(); } for (uint32 j = 0; j < arr->GetLength(); j++) { Var element; if (!arr->DirectGetItemAtFull(j, &element)) This can call back into JavaScript!! { element = undefined; We can update the length to make the array } destArgs.Values[argsIndex++] = element; larger therefore invalidating the first } hypothesis that the result array is large enough !

  30. CVE-2016-3386 by Natashenka let a = [1,2,3]; // setting length to 4 means that a[3] // is not defined on the array itself // the spread operation will have to walk // the prototype chain to see if it is defined a.length = 4; // a.__proto__ == Array.prototype // callback will be executed when doing // DirectGetItemAtFull for index 3 Array.prototype.__defineGetter__("3", function () { a.length = 0x10000000; a.fill(0x414141); }); // trigger array spread, will trigger a segfault Math.max(...a);

  31. Observable side-effect bugs A lot of these bugs in the interpreter in 2016 and 2017 Mostly gone these days Code is always one refactoring away from introducing these again Most of them could at the very least lead to an ASLR bypass and potentially RCE

  32. Observable side-effect bugs What about the JIT? Harder to spot in a vacuum But pretty similar bugs :)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie Silvanovich AKA natashenka Project Zero member Previously did mobile security on Android and BlackBerry ECMAScript enthusiast

893 views • 39 slides
Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More

Defect Detection Thomas Zimmermann The First Bug September 9, 1947 More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs More Bugs Facts on Debugging Software bugs are

840 views • 63 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Frank Mittelbach I presume this is one of several dozen bugs that would arise over the years if

Frank Mittelbach I presume this is one of several dozen bugs that would arise over the years if

Frank Mittelbach I presume this is one of several dozen bugs that would arise over the years if anyone were foolish enough to try allowing &quot;_&quot; in command names. Leslie Lamport 1982 TeX2 4 years later 1986 LaTeX 2.09

415 views • 22 slides
A Tale of Two Years: Montanas Economic Slowdown Patrick M. Barkey, Director Bureau of

A Tale of Two Years: Montanas Economic Slowdown Patrick M. Barkey, Director Bureau of

A Tale of Two Years: Montanas Economic Slowdown Patrick M. Barkey, Director Bureau of Business and Economic Research University of Montana 4% Figure 1 (Source: Legislative Fiscal Division) State General Fund Revenue Collections Year over

384 views • 20 slides
BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on

BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on

BED BUGS HOW TO HELP SOLVE THE PROBLEM WHAT ARE BED BUGS? Bed bugs are parasites that feed on blood They are reddish-brown in colour An adult bed bug is approximately the size of an apple seed An egg is approximately the size of a

163 views • 15 slides
ETH Zrich FFmpeg and a thousand fixes &gt;1,000 bugs found and fixed 2 person-years &amp;

ETH Zrich FFmpeg and a thousand fixes &gt;1,000 bugs found and fixed 2 person-years &amp;

Fine-Grained Control-Flow Integrity through Binary Hardening Mathias Payer, Antonio Barresi, Thomas R. Gross ETH Zrich FFmpeg and a thousand fixes &gt;1,000 bugs found and fixed 2 person-years &amp; fuzzing on large cluster

366 views • 23 slides
X11 and Wayland A tale of two implementations 1 / 20 Concepts What is hikari and what am I

X11 and Wayland A tale of two implementations 1 / 20 Concepts What is hikari and what am I

X11 and Wayland A tale of two implementations 1 / 20 Concepts What is hikari and what am I trying to achieve? window manager / compositor and Goals started 1.5 years ago written from scratch stacking / tiling hybrid approach inspired by cwm

249 views • 21 slides
The Telescope Array Low-Energy Extension (TALE) C. Jui For the TA/TALE Collaboration ISVHECRI,

The Telescope Array Low-Energy Extension (TALE) C. Jui For the TA/TALE Collaboration ISVHECRI,

The Telescope Array Low-Energy Extension (TALE) C. Jui For the TA/TALE Collaboration ISVHECRI, FNAL, July 1, 2010 Features in the UHECR spectrum: The minority straight-forward View CMBR photons interact with cosmic ray protons: Pion

520 views • 20 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
The Environmentalists Tale Damnation, Purgatory and Armageddon The Environmentalists Tale 2

The Environmentalists Tale Damnation, Purgatory and Armageddon The Environmentalists Tale 2

The Environmentalists Tale Damnation, Purgatory and Armageddon The Environmentalists Tale 2 Environmental Eden Managing Ecology Shift in livelihood strategies Barka Alla, North of Kutum, North Darfur 70% 60% 50% 40% Before Currently

341 views • 21 slides
Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer &amp; PMC Member uschindler@apache.org

Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer &amp; PMC Member uschindler@apache.org

Testing Lucene and Solr with various JVMs: Bugs, Bugs, Bugs Uwe Schindler Apache Lucene Committer &amp; PMC Member uschindler@apache.org http://www.thetaphi.de, http://blog.thetaphi.de @ThetaPh1 SD DataSolutions GmbH , Wtjenstr. 49, 28213

1.13k views • 71 slides
Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives Discuss the complexities in mitigating security bugs occurring in network protocols. Describe some current issues. Leave time for Q&amp;A.

631 views • 50 slides
Chakra, a user friendly distribution using the KDE desktop Laszlo Papp 04.07.2010 | T ampere |

Chakra, a user friendly distribution using the KDE desktop Laszlo Papp 04.07.2010 | T ampere |

Chakra, a user friendly distribution using the KDE desktop Laszlo Papp 04.07.2010 | T ampere | Akademy Agenda Introduction KDEmod Half-rolling release model Live CD development T ool development Community Questions

572 views • 35 slides
Talk is cheap. IT tale by an embittered storyteller #talkischeap

Talk is cheap. IT tale by an embittered storyteller #talkischeap

Talk is cheap. IT tale by an embittered storyteller #talkischeap http://creativecommons.org/licenses/by-sa/3.0/es/ #talkischeap Pedro Gonzlez Serrano (aka NITEMAN) Performance and process consultant Sysadmin 10,5 years working with

456 views • 34 slides
Angel alchemy session 2 Bubble clearing, the 4 clairs, the root and sacral chakra What is Angel

Angel alchemy session 2 Bubble clearing, the 4 clairs, the root and sacral chakra What is Angel

Angel alchemy session 2 Bubble clearing, the 4 clairs, the root and sacral chakra What is Angel Alchemy? The art and science of invoking Source and Angelic Energy to produce DRAMATIC and RAPID healing in the deepest aspects of our hearts,

404 views • 17 slides
Paul Manns slides Jamaica and the Caribbean and some others 1 Nan Nelson, Matt Liston,

Paul Manns slides Jamaica and the Caribbean and some others 1 Nan Nelson, Matt Liston,

Paul Manns slides Jamaica and the Caribbean and some others 1 Nan Nelson, Matt Liston, Lauren Magin, Cal Cooper, Sue Anderson, Dwight Bradley, Jim Pindell, Andy Bobyarchick, ?, ?. ?, Dwight Bradley, Matt Liston, Lauren Magin, Cal Cooper,

164 views • 14 slides
Thinking'in'ClojureScript Programming)is)not)about)typing,)it's)about)thinking)4)Rich)Hickey

Thinking'in'ClojureScript Programming)is)not)about)typing,)it's)about)thinking)4)Rich)Hickey

Thinking'in'ClojureScript Programming)is)not)about)typing,)it's)about)thinking)4)Rich)Hickey What%is%ClojureScript? ClojureScript-is-a-compiler-for-Clojure-that-targets-JavaScript. Goals Understand*the*ClojureScript*thought*process

922 views • 36 slides
Applying Random Testing to a Base Type Environment Experience Report Vincent St-Amour Neil

Applying Random Testing to a Base Type Environment Experience Report Vincent St-Amour Neil

Applying Random Testing to a Base Type Environment Experience Report Vincent St-Amour Neil Toronto PLT ICFP 2013 - September 27th, 2013 base e : base e : base e : base e : base e : first :

735 views • 54 slides
CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic

CE419 Session 5: JavaScript Web Programming 1 What is JavaScript? JavaScript is a dynamic programming language. Introduced in 1995 as a way to add programs to web pages in the Netscape Navigator browser. It has made modern web

795 views • 35 slides
fingerprinting for outdoor Geolocation using LoRa 1 HumanTech | 14.06.2019 | SDS 2019 Outline

fingerprinting for outdoor Geolocation using LoRa 1 HumanTech | 14.06.2019 | SDS 2019 Outline

Francesco Carrino Ales Janka Omar Abou Khaled Elena Mugellini Simon Ruffieux LoRaLoc: machine learning-based fingerprinting for outdoor Geolocation using LoRa 1 HumanTech | 14.06.2019 | SDS 2019 Outline Context and goals

221 views • 19 slides
DevelopingMTforaLowDataLanguage WilliamLewis MicrosoftResearch Credits

DevelopingMTforaLowDataLanguage WilliamLewis MicrosoftResearch Credits

DevelopingMTforaLowDataLanguage WilliamLewis MicrosoftResearch Credits CarnegieMellonUniversity ButlerHillGroup Mission4636/Crowdflower Ushahidi MoraviaWorldwide Welocalize

270 views • 24 slides
FLOATING POINT REPRESENTATION ABOUT FLOATING POINTS Integer Data Type 32-bit unsigned integers

FLOATING POINT REPRESENTATION ABOUT FLOATING POINTS Integer Data Type 32-bit unsigned integers

FLOATING POINT REPRESENTATION ABOUT FLOATING POINTS Integer Data Type 32-bit unsigned integers limited to whole numbers from 0 to just over 4 billion What about national debt, Avogadros number, Googlethe number? 64-bit

229 views • 22 slides
Announcements: Discussion via Zoom please attend Test 2A feedback on Gradescope.

Announcements: Discussion via Zoom please attend Test 2A feedback on Gradescope.

Previous lecture: Objects are passed by reference to functions Details on class definition (c onstructor, instance method) Todays lecture: Overloading methods Array of objects Class reuse Announcements:

585 views • 29 slides

More recommend