Your Chakra Is Not Aligned

Video in TIB AV-Portal: Your Chakra Is Not Aligned

Formal Metadata

Your Chakra Is Not Aligned
Title of Series
Part Number
Number of Parts
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date
Production Place

Content Metadata

Subject Area
Microsoft Chakra is the new JavaScript engine on the block, and the bugs are pouring in. This presentation discusses techniques for finding bugs in a ‘fresh’ ECMAScript engine. When standards are implemented, design decisions are made that can affect security for years to come. This talk describes some of the implementation details of Chakra and how they led to specific bugs, as well as some ideas for finding future bugs. Recommended for people who want to find more or better browser bugs!
Computer animation
Interior (topology) Code Multiplication sign Decision theory View (database) 1 (number) Set (mathematics) Open set Mereology Software bug Web 2.0 Array data structure Different (Kate Ryan album) Single-precision floating-point format Damping Information security Descriptive statistics Vulnerability (computing) Area Scripting language Software developer Bit Entire function Category of being Type theory Arithmetic mean Sparse matrix Vector space Summierbarkeit Right angle Quicksort Species Freeware Resultant Point (geometry) Web page Dataflow Implementation Link (knot theory) Open source Flash memory Similarity (geometry) Web browser Menu (computing) Mass Regular graph Element (mathematics) Product (business) Number Revision control Fluid Population density Internetworking Program slicing Integer Default (computer science) Standard deviation Information Projective plane System call Subject indexing Word Pointer (computer programming) Computer animation Personal digital assistant Object (grammar) Collision Table (information) Sanitary sewer Buffer overflow Window
NP-hard Axiom of choice Greatest element Group action Code State of matter Parameter (computer programming) Software bug Array data structure Mathematics CAN bus Different (Kate Ryan album) Oval Flag Social class Scripting language Area Software developer Electronic mailing list Sound effect Connected space Category of being Type theory Chain Right angle Quicksort Cycle (graph theory) Species Functional (mathematics) Implementation Real number Tape drive Flash memory Web browser Number Element (mathematics) Prototype Goodness of fit Causality Operator (mathematics) Hierarchy String (computer science) Proxy server Mathematical optimization Default (computer science) Stapeldatei Standard deviation Validity (statistics) Chemical equation System call RAID Subject indexing Computer animation Personal digital assistant Object (grammar) Directed set Table (information)
Web page Point (geometry) Computer animation Bit System call Software bug Number
and I'm going to move I'm going to move
in I wholly longwall
2017 soon to
then did talk about so much of the Jack chakra which is that the Microsoft edges scripting engine and there's actually a bit of a back story to this part that evolves because at the
last 3 time and I gave a talk on how to find vulnerabilities in Adobe Flash that I was sort of them finishing up my work and trying to figure out what to do next and some suggested to me that I look at chakra and at that point I didn't even know that Microsoft had open source there and JavaScript engine and that I give it a shot and ended up having a lot of bags so then dinner a talk a bit about what I found on the approach I took to find them so my finally sold out of it and I'm a security researcher on Google's project 0 I am an atom a script in the easiest style of finding bugs in browsers and flash and pretty much anything that processes scripts the so what is to anybody Shakur and is the new Internet Explorer it's a Microsoft's new default browser on Windows 10 and chakra is edges open sewers of EiconScript engine it's regularly updated so it's nice ingest them you upload the code ones and then that was it you can actually see active development and see the CDs as they get fixed and that sort of thing and it says external contributions so you can be retained you wanna see in Microsoft eds and so what is a conscript at was script is a JavaScript standard it's let developers implement when they try to create an atmosphere engine and it is a living standard there's always new versions coming out the most recent 1 was at 7 which was released in June so it's newness matter on so I realize quite quickly when you look at JavaScript engines is that the standard is not specify implementation and they say what the script needs to do but not implemented so much so when you're creating a new aggressive engine it developers need to make design decisions and the design decisions are somewhat and tested and this trade off there's things like security verses performance you know how many text you put it in a sentence like other reason things get done enemies of development that sort of thing and quite often in a few listen the older browsers you can see where the stuff went wrong you can see I mean things guy in things that they made a concerted effort to get rid of bugs in you know some parts as as Web can fire fighting the like all the angry comments by developers as they try to fix a certain part over and over and the other disadvantage with menu at risk at engine and this both from the side of your trying to secure it's not clear where the weak points are and also from I'm trying to find bags and there it wasn't as much to start with because there been so many bugs found yet and general and Accenture over time I think this is really kind of the 1st few people have looked at Sacramento it'll be many bugs in the future what is a bit surprised about is I thought that there would be not a lot of about collisions because you know to new product there should be a lot of time bags ML been found yet but it turned out that basically like many people converged on the same bags and not sure what would that happen why that happened it may be that they were very obvious bugs or they're very similar to bag the were found in other browsers so my goals and I wanted to find a lot of bugs in chakra and understand it improves over the weak areas are really slight improvements in those areas and those hoping to find and deepen unusual bugs asterisk because that in and of happening everyone pretty much that on the same set of bugs and they approach was mostly code review I might find especially if you're in a situation of wanting to find a lot of bugs and kind of do a comprehensive by finding you know find all the similar bugs exhilarating defects and code review is typically the best stem you you find quality bags in you continue with air quality upfront is you know what's causing them and I thought I would find bugs so you know maybe live longer and are more likely to be used by attackers Oh let that enough not to be the case and also then easier to fix and we get into entire masses of bugs fixed and so they an interesting as I was talking to 1 or the other people that I am the founder similar bike and used it in a window and then he said that you know the was even sure you know is views after free yeah is it up an overflow and that sort of thing typical of bugs find through revising and sometimes it's not always clear what causes them but is that a lot of time looking at the code you can figure out why they have been and hopefully by like all 10 places where that happens so the start I have on my RDFS there I'm reading a standard might in is really important if you wanna find and the browser bugs and and by conscript engines and you'd be amazed by the stuff that's in there and there's a pretty crazy stuff and a lot of because his bags and if you can't bring yourself to read the standard recommend was ill adopts an effect and tabular and they have on your every method description of the nested and a browser compatibility in a table and and then the link to the atmosphere standard and we can find more information you think he died and went to you at the Scripps documentation have which by the way is where I totally hope ago when I die many features are infrequently used in this is the ones that can cause bags and I finally there's almost a trade off like every so often you do you find a bug in a really commonly used feature that most of the bags are in your stuff that less than 1 % of web pages or even way less than that ever use and the answer is to me very deeply intertwined quite often and 1 thing that turns up in the standard has really deep reaching impacts and other places and 1 example of this is the year readout species creator so the here is in JavaScript there's lots of different array method to wear an old copy the results into a new array for example slices of subarray and it would be the 2 indexes including the income puree into it but then the other problem is let's say the thing and slicing is actually subclass of array and not actually the array do I return the new thing is a subclass or very or just like regular array and of course it picking 1 why don't we make this configurable property and then you can specify which 1 you want and this is of course easily implemented by inserting a call into 2 script in to every single native array call so that's you know basically impacts everything you do with an array and makes it vulnerable understand can interact with them other design features of for example a big 1 of those important things in other words I'm decisions in creating enactment engine is how a reason how objects work and most browsers use something like this this is exactly which chakra does which is you start off with like a very small and not complex array and then as you add new features to its and it becomes becomes more complex objects so in fact right you start off of me just have integers and then you're an integer array as soon as you have fluid added you you become a float array and that has to be twice as long as there's the bytes in array and then and if you add an object to its it then becomes of our and that means instead of having numbers in the radio pointers to objects and then the very final stage of an array which doesn't happen very often is what if you can figure a property to an array of what if you make 1 element of the array real only then you have to actually structure with the property of every element in it and that's what the colony yes vibrate end implement this up they actually swapped out the table like they're very literally you know cast the object abates and then change the the table to be something different and the sum of fairly surprising but like that that's what happens in it it has some interesting consequences on with regards to bags so given idea how this works you have your interior and the where is a structured and this is actually fairly elegant design they have every eraser is an array object and and has had the points to a segment of the array and then the segment has like where it starts and its leader in it and that sort of thing so another thing to note about this is a lot of browsers the concept of a sparse array in a dense array and chakras really have that basically you dense arrays just a very very small and sparse array and benefits if it becomes sparse vectors add more segments so if you change the title but see at a flow to this and it changes its type that's what the table and it goes down this chain and for every segment it will allocate it has now twice the size and put in the things as floats and then move on so it can the example of how these 2 things combined to cause by exam
there's this by and which is in a up carried out filter and there's a similar 1 in a raid on that so to show how this works in the script engine 1st and you start off and you wanna do this method which and basically runs a function on every year and 18 an array and then if this function you provided returns true it goes into the new array otherwise it is not going to that way so you start off you have to create the array and realize this is instructor you provide can be anything and I am then it does the call on every single 1 and then it's and calls this direct set item that function and and that's kind where the problem is this one's actually only defined for the variable arrays and the other array types so if you call it it's confusion and the state here is that the developer assumed that when you're creating new array would be an object a because that's what by default constructed as you can override it and then that will also because take confusion and here's what this looks like in java script I'm starting at the bottom you create the array and then you redefine and in the middle of the species that and that's what returns dummy which instructor that actually makes you're a and and a property of dozens consists of my but about and this is like absolutely wild but and you can put an interceptors getters and setters on and the index of an array and this has on all sorts of interesting impacts like the here here's how it works and you have your day and then he called it to define property at a getter and setter to and this array and then if you change it it will call the scattering center and what's even kind weird is quite often if you use like internal properties in array Paula radar push on that it will still to go this axis the so and that can do all sorts of things that the developer wasn't expecting but and this gets even more interesting if you look at how objects work in JavaScript so every object and it has this class hierarchy and this is defined by the and prototype so you go from you start off with the kind of property you like property 1 you'll go in sits in the real object if it's not yet the prototyping of it's not very good prototypes prototype and all that the chain until it's now and that's how you get a property such a defined the property of not the array but the prototype object that is given to all arrays and then he also works and then you create these arrays after you've done that and without ever touching the array it will still and trigger these and accesses no it's not perfect because if you initialise the array like India doesn't work but if you are creating an empty array in entering stuff into it and connection intercepted this before you've ever and touch the array and what's cool about that is if it's done in need of method in the engine quite often you can it will call the center and you can get a handle to that array before but it's even been returned to you which can cause balance and good example the bug caused by this and also on the array taping so it's pretty simple uh this is a redirect to string which is also colourado join and it is busily cycles for every element in the array and converts it to a to a string so it does this and tries to get it and this is actually templated function sole Corleone and then it will try and convert the item which can execute scripts and then that connected to the thing where it's what the the table out and that way it's too late to rates and you're in a templated function is not going to I go back and change you have the right 10 plates so that everything you do after that and is on the wrong type and it's a confusion and here's the here's an example of the co the causes this know is that you're like actually putting the getter and setter on the index so that that's the thing that triggers the code they can change the array taste on another interesting JavaScript property is the proxy and this is basically you know what if you know you're not satisfied with using other things to divide JavaScript you wanted by JavaScript in JavaScript all they need to have this some function call a proxy can intercept and everything that you do to an object and I think adhering to spec for this like it's it's very so full-featured you know you can make it and execute code he called instructor if you get a property if you get that and property definition this is a very very large number of things we can intercept them using this method and it causes like a number of problems and both browsers are also issues in Flash due to this and basically because this is supported every single an operation that handles not object in JavaScript has to and you know consider the possibility that the call could be intercepted and you know that that are and always have on your mind there is always a states that are due to you I'm not realizing that an object could be a proxy and this 1 happened in chakra and 1 of the interceptors you can get on a proxy is on the prototype so when you you know I showed they and proxy change if you have the or the protecting give a proxy and that's not true it is a long way in the chain you call a method and that returns the next and prototype and this unfortunate because it Shakur actually and most standards have looked at very and former check when signing a prototype you know we can be certain things can be certain things and even more sometimes you want to do things to the object to make it perform better as a prototype meet a certain type remove certain optimizations that sort of thing and um this doesn't happen if you I'll have a proxy and giving back the prototype and so this case and this is a function internal feel for morality and this is an if you see for example sort an array and you wanna get all the objects of the prototype 1st before you saw it and otherwise were overcome and more complex so before a call sort it will and use this function to get all the properties of the prototype and put them into the main array before and sorting it and this 1 in it you can see on the bottom against a prototype and it made the assumption that the prototype and is of a certain type that it is of RA because normally when you set the protective an array and make sure that it's of RNA but in this case and violates the assumption and it's once again take confusion and due to this and direct set item at which and only works on certain array tapes some which are not guaranteed to be the case and and this is the code here and just to show how this works to create a proxy with the handler and it has the prototype intercepted at the top and another fun feature of them have a script is new target and this is a list it's another and kind a weird property you I mean it it's useful subclassing but you can also just using it I'm using reflect to create any object you want and prototype you want and the not that frequently used batch and was is the the implemented in shack rest so that and if you have a new target on a function it's just an extra parameter so they'll and push this a parameter on the stack and incremental and then have a flag which is great but unfortunately another call also did this for something different and so this is a really fun valid and basically if you create an approxi which does new target on a vowel and you'll get a confusion because a valid can also get a set S X art for another user in and I really like this like because you can tweet it and it's an idiotic but what sort of all the ballots of effective that confusion and and this is kind of it's a also a case of untested code and all the other stuff I show you is kind of weird JavaScript this is something you absolutely should be able to do if you can write your JavaScript in that the migrant JavaScript and I just as no 1 ever tried it and then this is last bag you know not everybody is due to you you know where does the features sometimes mistakes happen and there is this 1 and where and this and that sort of the bottom I think wasn't very much intended to be some sort of hard area but it was and so on this is a simple and and initialize variable if you have 1 2 or 3 yards it does the right thing if you have more suggest stem falls through an doesn't initialize it and and this is also a wonderfully treatable of very easy to reproduce and that's it and I think for doing this I I learned a lot about how the anarchist groups implementation choices lead to buy eggs and the sorts of things in JavaScript that I'm a very unusual
and not very well used in web pages and you can lead to large number of bugs so interview you doing this to yourself of 1 of these used features and as such lowers the ad into you and it execution points and and you keep getting defined a lot more bugs and then I'm can on with a bit of a call to join the party and the people working on snack and not very many and yet so I encourage everyone you know if you the will you know try your hand at it at that there's a lot more bikes to be found and that's the thinks a lot and
analyze any questions they cast them thank you