From Zero to Zero Day

Video thumbnail (Frame 0) Video thumbnail (Frame 970) Video thumbnail (Frame 2426) Video thumbnail (Frame 3373) Video thumbnail (Frame 4846) Video thumbnail (Frame 5884) Video thumbnail (Frame 7134) Video thumbnail (Frame 8394) Video thumbnail (Frame 9699) Video thumbnail (Frame 11427) Video thumbnail (Frame 12404) Video thumbnail (Frame 13519) Video thumbnail (Frame 15172) Video thumbnail (Frame 17176) Video thumbnail (Frame 22549) Video thumbnail (Frame 23478) Video thumbnail (Frame 24482) Video thumbnail (Frame 25618) Video thumbnail (Frame 26546) Video thumbnail (Frame 27563) Video thumbnail (Frame 28688) Video thumbnail (Frame 33929) Video thumbnail (Frame 35573) Video thumbnail (Frame 37224) Video thumbnail (Frame 38835) Video thumbnail (Frame 40463) Video thumbnail (Frame 41939) Video thumbnail (Frame 43099) Video thumbnail (Frame 44125) Video thumbnail (Frame 45070) Video thumbnail (Frame 47040) Video thumbnail (Frame 48222) Video thumbnail (Frame 49800) Video thumbnail (Frame 50807) Video thumbnail (Frame 51751) Video thumbnail (Frame 52899) Video thumbnail (Frame 55127) Video thumbnail (Frame 56839) Video thumbnail (Frame 57859) Video thumbnail (Frame 59333) Video thumbnail (Frame 60527) Video thumbnail (Frame 62568) Video thumbnail (Frame 64133) Video thumbnail (Frame 65100) Video thumbnail (Frame 66460) Video thumbnail (Frame 68752) Video thumbnail (Frame 70199) Video thumbnail (Frame 71645)
Video in TIB AV-Portal: From Zero to Zero Day

Formal Metadata

Title
From Zero to Zero Day
Title of Series
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
In this talk I will share my story of how in a little over a year, a high school student with almost zero knowledge in security research found his first RCE in Edge.
Keywords Security

Related Material

Video is cited by the following resource
Goodness of fit Division (mathematics) Musical ensemble Semiconductor memory
Mathematics Type theory Vulnerability (computing) Perfect graph Just-in-Time-Compiler Multiplication sign Demo (music) Information security Mereology Information security Magnetic stripe card Computer programming
Operations research Vulnerability (computing) Demo (music) Code Software developer Continuous function Local Group Data management Military operation Personal digital assistant System programming Information Quicksort Information security Implementation Physical system Directed graph Vulnerability (computing) Self-organization
Dataflow Group action Software developer Code Mathematical analysis Computer programming Local Group Data management Military operation Graph (mathematics) Information Divisor Implementation Directed graph Vulnerability (computing) Self-organization Operations research Programming language Vulnerability (computing) Execution unit Software developer GUI widget Solid geometry Continuous function Group action Computer programming Open set Formal language System programming Quicksort Information security Physical system
Classical physics Multiplication sign Mereology Local Group Writing Memory management Integer Game theory Information security Buffer overflow Vulnerability (computing) Data buffer Buffer overflow
Mobile app Multiplication sign Water vapor Mereology Information security
Multiplication sign Video game Mereology Buffer overflow Twitter
Different (Kate Ryan album) Videoconferencing Graph (mathematics) Video game Water vapor Pattern language Mereology Game theory Information security YouTube Vulnerability (computing)
Optical disc drive Code Military base Connectivity (graph theory) Real number Projective plane Website Video game Exploit (computer security) Vulnerability (computing) Software bug
Vulnerability (computing) Process (computing) Code Pattern language Software bug Vulnerability (computing)
Covering space Vulnerability (computing) Code Multiplication sign Code Mereology Line (geometry) Software bug Type theory Error message Integer Pattern language output Buffer overflow
Vulnerability (computing) Existence Functional (mathematics) Military base Code State of matter Software developer State of matter 1 (number) Set (mathematics) Primitive (album) Mereology Software bug Force Pointer (computer programming) Graph (mathematics) Buffer overflow Address space Vulnerability (computing)
Programming language Functional (mathematics) Scripting language Just-in-Time-Compiler Machine code Just-in-Time-Compiler Code Run time (program lifecycle phase) Multiplication sign Software developer Java applet Code Parsing Compiler Primitive (album) Mereology Formal language Process (computing) Interpreter (computing) Information security Compilation album Vulnerability (computing)
Dataflow Functional (mathematics) Scripting language Inheritance (object-oriented programming) System call Just-in-Time-Compiler Proxy server Java applet Code Logarithm Login Element (mathematics) Formal language Prototype Array data structure Different (Kate Ryan album) Object (grammar) Operator (mathematics) Video game console Damping Integer Data conversion Proxy server Mathematical optimization Vulnerability (computing) Operations research Inheritance (object-oriented programming) Java applet Data storage device Letterpress printing System call Formal language Element (mathematics) Category of being Type theory Pointer (computer programming) Personal digital assistant Function (mathematics) Mixed reality Data conversion Object (grammar) Quicksort Prototype Integer
Point (geometry) Scripting language Length Electronic mailing list Data storage device Disk read-and-write head Element (mathematics) Element (mathematics) Pointer (computer programming) Semiconductor memory Personal digital assistant Graph (mathematics) Flag Analytic continuation Diagram
Greatest element Venn diagram Length Code Field (computer science) Volume (thermodynamics) Element (mathematics) Element (mathematics) Category of being Sample (statistics) Read-only memory Semiconductor memory Personal digital assistant Flag Integer MiniDisc Address space Flag
Telephone number mapping Vulnerability (computing) Focus (optics) Personal digital assistant Flag Object (grammar) Field (computer science) Telephone number mapping Flag
Logical constant Sample (statistics) Semiconductor memory Personal digital assistant Code Flag Category of being Element (mathematics) Data type Flag
Read-only memory Semiconductor memory Flag Core dump Element (mathematics)
Read-only memory State of matter Mixed reality Content (media) Flag Core dump Quicksort Element (mathematics) Metadata Flag
Dataflow Validity (statistics) State of matter Data storage device Control flow Variance Element (mathematics) Number Exclusive or Category of being Exclusive or Array data structure Voting Cuboid Damping Representation (politics) Normal (geometry) Glass float Vulnerability (computing)
Functional (mathematics) Just-in-Time-Compiler Just-in-Time-Compiler Machine code Code 1 (number) Code Sound effect Computer programming Software bug Type theory Personal digital assistant Function (mathematics) Data conversion Data conversion Object (grammar) Vulnerability (computing) Data type
Functional (mathematics) Just-in-Time-Compiler Just-in-Time-Compiler Machine code State of matter Multiplication sign Instance (computer science) Perturbation theory Computer programming Type theory Mathematics Loop (music) Personal digital assistant Function (mathematics) Force Vulnerability (computing) Data type
Functional (mathematics) Just-in-Time-Compiler Just-in-Time-Compiler Machine code Digitizing Control flow Sound effect Compiler Software bug Type theory Mathematics Data conversion Compilation album Vulnerability (computing) Data type
Vulnerability (computing) Functional (mathematics) Personal digital assistant State of matter Content (media) Code Flag Prototype Element (mathematics) Vulnerability (computing)
Vulnerability (computing) Functional (mathematics) Slide rule Code Code Price index Mereology Type theory Prototype Digital photography Oval Personal digital assistant Graph (mathematics) Statement (computer science) Flag Statement (computer science)
Vulnerability (computing) Email Prototype Length Length Flag
Vulnerability (computing) Functional (mathematics) Code Multiplication sign Length Parameter (computer programming) Counting Mereology Element (mathematics) Element (mathematics) Array data structure Oval Iteration Enumerated type Statement (computer science) Statement (computer science) Prototype Directed graph Electric current
Vulnerability (computing) Multiplication sign Length Counting Counting System call Element (mathematics) Element (mathematics) Array data structure Prototype Loop (music) Oval Iteration Statement (computer science) Cuboid Prototype Directed graph Electric current
Slide rule Vulnerability (computing) Functional (mathematics) EDIF Multiplication sign Price index Parameter (computer programming) Mereology Type theory Chain Prototype Digital photography Loop (music) Programmschleife Oval Chain Object (grammar) Prototype
Vulnerability (computing) Functional (mathematics) Just-in-Time-Compiler Proxy server Java applet Code Sound effect Type theory Chain Array data structure Prototype Personal digital assistant Function (mathematics) Object (grammar) Chain Data conversion Prototype Proxy server Loop (music) Flag
Axiom of choice Functional (mathematics) Just-in-Time-Compiler Machine code Proxy server Code Mereology Variance Sound effect Prototype Object (grammar) Error message Data type Vulnerability (computing) Just-in-Time-Compiler Sound effect Perturbation theory Type theory Proof theory Array data structure Loop (music) Function (mathematics) Chain Object (grammar) Prototype Glass float
Vulnerability (computing) Functional (mathematics) Proxy server Constraint (mathematics) Logarithm Line (geometry) Type theory Prototype Loop (music) Object (grammar) Function (mathematics) Damping Prototype Proxy server Error message
Vulnerability (computing) Functional (mathematics) Key (cryptography) Logarithm Mereology Event horizon Type theory Prototype Function (mathematics) Object (grammar) Chain Flag Damping Prototype Error message
Functional (mathematics) Just-in-Time-Compiler Machine code Proxy server Code Logarithm Multiplication sign Parameter (computer programming) Element (mathematics) Pointer (computer programming) Prototype Crash (computing) Object (grammar) Damping Data conversion Proxy server Address space Vulnerability (computing) Line (geometry) Loop (music) Pointer (computer programming) Personal digital assistant Function (mathematics) Crash (computing) Chain Video game console Object (grammar) Prototype
Vulnerability (computing) Functional (mathematics) Implementation Just-in-Time-Compiler Digitizing Line (geometry) Prototype Array data structure Term (mathematics) Crash (computing) Function (mathematics) Object (grammar) Chain Damping Object (grammar) Prototype
Point (geometry) Logarithm Primitive (album) Number Software bug Leak Pointer (computer programming) Object (grammar) Damping Information Process (computing) Data conversion Library (computing) Address space Context awareness Vulnerability (computing) Just-in-Time-Compiler View (database) Primitive (album) Thread (computing) Type theory Pointer (computer programming) Personal digital assistant Function (mathematics) Crash (computing) Analytic continuation Object (grammar) Address space
Context awareness Hoax Code Primitive (album) Field (computer science) Computer programming Leak Pointer (computer programming) Term (mathematics) Core dump Energy level Process (computing) Information Library (computing) Address space Context awareness Demo (music) View (database) Graph (mathematics) Primitive (album) Thread (computing) Proof theory Pointer (computer programming) Calculation Analytic continuation Object (grammar) Address space
Duality (mathematics) Demo (music) Code Demo (music) Source code Exploit (computer security) Maxima and minima 2 (number) Object-oriented programming Calculation Gastropod shell Mathematical optimization Row (database)
Proof theory Pointer (computer programming) Just-in-Time-Compiler Demo (music) Code Personal digital assistant Feedback Demo (music) Sound effect Hill differential equation Object (grammar) Data conversion
Feedback Information security
Open source Internetworking Multiplication sign Musical ensemble Line (geometry) Automatic differentiation Number
Domain name Just-in-Time-Compiler Open source Connectivity (graph theory) Multiplication sign System call Number Formal language Software bug Latent heat Process (computing) Traffic reporting Compilation album Reading (process) Window Vulnerability (computing)
Code Multiplication sign Graph (mathematics) Escape character Number
Multiplication sign Right angle Mereology
Cartesian closed category Musical ensemble Semiconductor memory Inflection point
[Music] Jonason wonderful good morning you're gonna tell us about the last 12 months on what you have done so your talk is called from zero to zero day this is Jonathan Jay from the nsrc in Israel a division of Microsoft and the stage is yours and that is your applause
so hi everyone my name is Jonathan and
I'm a security researcher in an MSR seen in Israel on my free time I play CTF
with team perfect blue and I also do research on my own I'm just an eighteen year old and I started doing security related stuff last year so the first part of this talk is going to be about what I learned in the past year and how
I learned it so if you're just starting off in security and you want to learn what to pick up what I did and learn from what what I did this is a this could be helpful for you and for the more experienced security researchers in the audience the second part of this talk is going to be about a zero-day I found in chakra a JIT type confusion so we're gonna die and we're gonna dive deep into that and even if you're just starting in security a basic understanding in programming is probably going to be
enough to follow up there's gonna be a lot of code but it's fine it's not too complex and last but not least we're gonna finish up with a demo hopefully working one so yeah let's let's start off so why vulnerability research vulnerabilities are for me some sort of
riddles there is some sort of very challenging riddles that we have to find some flaws that the developers did not consider this is very challenging and very interesting for me at least and I found it awesome to to do so what is a vulnerability there are a lot of definitions to it and when when you want to understand something you started up on Wikipedia there are a lot of
definitions that you can see it's some more weird like the probability that an asset will be unable to resist the actions of a threat agent I don't know
what that means yeah for me a vulnerability is some sort of flaw in a program that allows you to change the intended flow of the of the program that's what I consider as a vulnerability and the definitions we've just seen do not really tell me how I
find them so how do we find vulnerabilities so when I started I had some knowledge and programming I wasn't I wasn't the best developer out there I
was just a decent one another good level and see an assembling and all internals to understand how things actually work in Python to actually write some code so I wasn't even the best developer but I had some knowledge for example I read the C programming language which is a great book and will give you all that C knowledge you need to know in order to actually get into vulnerability research the next thing I did was to expose
myself to vulnerability research basics so I read online about some basic
vulnerabilities like classic stock buffer overflows like integer overflows and so on and then I try to practice my knowledge and that was through war games war games are some challenges that are offline and you can try to solve them there are security related challenges like you have to find some vulnerability and exploit it so that's what I did next and at first I failed like badly but it's okay because I've read the solutions I read the write-ups and I learned how to actually approach the solutions and actually how to solve them so it comes with time and it's ok to fail because we all do the next thing I
did was to expose myself to CD f's now CTF star capture-the-flag contests and they're basically competitions where you have to solve some challenges and compete against other teams this is a team effort and you play with other players your friends and this is how I met my teammates so we met through CTF through IRC and we played together and sometimes we fail like miserably but sometimes we actually do well and we got to qualify to some finals and we actually got to travel the world because when you qualified to finals they sometimes pay for the trip so we actually got to see some cool places and yeah that was awesome and I actually think city apps are a great way to get into security so next thing I did was I dove into the deep waters so once you
know the basics it's important to not stay there for too long you have to expose yourself to harder things I try I was afraid to see and try to solve the harder challenges at first but with time
I managed to understand that nothing too bad would happen even if I fail so I try to solve challenges and I failed but with time I managed to pick up the tricks and the ways to solve to solve the harder challenges and I think this is very important to not be afraid to solve things because even if you fail
you learn from others other people's solutions and it's fine it's totally okay a great tweet by Life overflow which also should be in the audience or in the top in the conference and basically says what I really believe in which is move away from the basics as soon as possible and expose yourself to harder things which we don't understand this will make you understand things
that you thought you understood but you actually didn't and also it's important to learn from different resources this way you learn different tricks and different ways to approach problem solving and it's very important in my opinion so yeah life water flows also has a great youtube channel which I also watch and he talks about vulnerability and security research and I really recommend watching his videos as well so
after I had some knowledge and pumping like CTF sand war games I practiced and
I practiced a lot so it's really important to practice and solve challenges on your own because this way you actually get to pick up those tricks that you have to understand in order to solve some challenges so some vulnerabilities have patterns in them and the way you catch on those patterns is by seeing them quite a few times and
a great way to do that and to pick that up is by solving a lot of challenges um this is where also expose myself to actual real world vulnerabilities I did that through like a lot of websites there's the project zero bug tracker which you have you can read the vulnerabilities and about exploits and and all and so on so did this is where I also explore myself to real world vulnerabilities and I also realized that there is a great connection between vulnerabilities in CTF and in real world so vulnerabilities are essentially bugs and they exist both in CTFs and in real life and the main problem that you think you have when you actually try to do real-world research is that you think that the code base is huge and stuff like that but even if the code base is your bugs are still out there so don't be afraid to look at it because the odds of vulnerability is running out just when you're starting to look at something are very low so you can start to try and solve things and by solving things I mean looking at actual code bases after doing some practice I realized that how do we find
vulnerabilities and once we actually
start and repeat the process of solving challenges and practicing we noticed that vulnerability research is about identifying bugs and we do that by looking at code so looking at code is essentially understanding the code and we have to find vulnerabilities in it
right because we want to find them and that's through actually auditing the code and that comes with practice so practice is really important in vulnerability research and once we must we master that even though I'm not a master and I'm not near they were that I still think that practice is important
so how do we actually fund from the
abilities so after as I said before vulnerabilities have patterns in them and patterns are something that you
catch up with time and we might I wasn't doing that for so long I'm doing it just for years so how did I catch it up that was basically through a practice as I said before practice can be taken cover at the time that you're not doing that for so long so I net I manage to notice that couple abilities have patterns in them for example programming errors like integer overflows and and sickness issue that these are bugs actually exists because people make
mistakes and we're all humans and humans make mistakes we're not perfect a great example for such mistake is the following code so on the third line we have an integer overflow which a lot of
developers know and know about existence of this vulnerability yet they still make this mistake it's it's I said before it's about it's because we are all humans and human make mistakes so don't be afraid to look at actual code bases because these discounted bugs actually exist in actual code bases not only in city F's so don't be afraid to look at actual vulnerabilities you can find simple ones as well so there's a great difference between
CTFs and real-world vulnerabilities in CTF usually when you find the vulnerability you know what you need to do with it you know what you have to progress with it you know what you need to have what you need to exploit how you need to exploit it so sometimes you have a stock buffer overflow so you need to override some variable the return address or you can override a function pointer there you mostly when you see a vulnerability in CTF you know what you need to do with it in real world you usually have a set of weird states a set of primitives that you have primitives are essentially capabilities we have as attackers so you usually have some
primitives that we can chain together to do something greater and that can later lead to vulnerability and a such example of that will be the vulnerability I found in chakra which is basically a bunch of primitives together chained together to make an actual vulnerability so this is basically everything I knew about vulnerability research and security research before I started looking in chakra so yeah let's dive into some JavaScript so javascript engines I didn't say I learned JavaScript because I didn't and
JavaScript is a very readable language it's so once you have learned a few programming languages reading JavaScript would probably be more smooth and more smooth process so doing that would not be too hard now jet engines are basically what's capable of running the code that you write as a developer they have a lot of parts to them and then one the most important one for us is the JIT compiler now JIT stands for just-in-time compiler what it essentially does is when some function gets hot and it's being called a lot of times it compiles this function to machine code to improve performance now this compilation is this job this JIT compiler is also incapable or is
also responsible off doing optimizations for the code it it has a lot of assumptions about the code and doesn't want assumptions to be broken so we'll see just how that works later and about about JIT compiler vulnerabilities so about JavaScript basics so Java C is a dynamically typed
language and it's totally readable you can make arrays in different ways you have you can have a race with different types of elements and you can have console logs you actually print stuff so JavaScript has prototypes prototypes are essentially something that you can in some way you can inherit features from other objects so for example in our case we have a parent object and a child object so the child object if if if it the prototype of it is the parent object then it will inherit some features in this case the properties x and y so this actually is very fairly important to us in the exploit and the vulnerability I found and you can modify the prototype by accessing the proto the proto property javascript also has something called proxy now proxy is an object that can wrap another object and redefine basic basic operations like getters and setters so in our case we redefined the getter so we really find together in which we're supposed to get X to be 1 3 3 7 but due to the fact that the proxy redefines the behavior what happens is the getter handler is actually being called so we redefine the basic the basic operation of together and in this way we actually tracked a function the function call to the getter of this object so JavaScript has already as we've seen but chakra has raised with types so the first type we're going to talk about is called the javascript native enter a and it is the way chakra calls integer a basically it's an array that stores integer which are which are four bytes per element and they're basically integers Java C also has an eggy float array which is essentially floats and unlike this C definition for float this this float is actually eight bytes and they store floats and they're eight by pail elements and we have JavaScript arrays which are object they store objects essentially pointers and they are also eight bytes per element so let's see about about how we can convert between the types so if we start off with an array of integers and we add a flow to it what happens is we convert the array to a folder and if we add a object to it the conversion that takes place is a conversion to a JavaScript array if you have both floats and integers the outcome is a float array so if we have both floats and integers and some sort and objects and mixed array what happens is this array is considered to be a JavaScript array and the most weird conversion that takes place is this one and you usually don't see this when you see about conversions in JavaScript engines but this is very crucial for our talk so when you have two arrays and you assign one of them to be the prototype of another one the prototype one is directly converted to a JavaScript array now this is going to be very important to us later so keep that in mind and this is basically the conversion takes place right when this what right when the assignment takes place so let's see
about how array layout actually looks like in memory so when we have an array for example in this case a JavaScript
array it has some flags which indicates some some things about the array and it's called the very flags we have the length of the array and we have the head now a head is a pointer essentially to an segment and a segment is a continuous memory region which has elements in this so it has some of the elements in the array and it stores another point to the next segment so what what comes out is essentially a length list of segments that start off with the head pointer in the JavaScript array so let's
see how that actually looks in memories we have this simple example we have two point two two values in this case
integers and we have an array with two values so and let's see how it actually
looks like in memory so in red we have the JavaScript array properties so we
can see the initial array value which is the array flags volume and we have in in green we have the actual segments so we can see the segment has the length and the size and in blue we can actually see the memory layout of the segment and if you notice on the right bottom we have the two elements we defined so we actually can see this in memory and this is how it looks like so what is the
array flags that was just talking about so red flags basically some flags that indicate some things about the array in our case it's and it's defining it as an enum and the interesting field for us is there has no missing values the flag and
so if we for for those of you who noticed the the initial very value that was defined as our array flags is actually composed of two different flags it's composed of the array object array Flags tag and it has no missing values tag so the first one is not really important for our talk so we'll focus on the second one which basically means that the array doesn't have any holes in it now what does the hole mean so we can
create an array and have some values
between the like we have before in this case we have three elements but the middle one is missing so it's important to say that the values I put there are the way the way they're represented in memory is by those constants and I try I chose them because it will be easier for us to detect to see them to actually notice them when we see the memory layout as we've seen before so as you can see this one has a hole and the array Flags doesn't have there has no missing values on which means we have a hole in the array and things actually make sense but when
we look at the memory layout we see some weird thing so as you can see we have
the dead beef and the 41 but between them where the missing value where the hole was we have some magic constant now makes sense that this constant would represent a missing value or a hole in the array but as we've seen before the there's already something that represents there has no missing value slag so we know that there is one way to indicate holes in your way and it's the flag we've seen before but it seems like there is another way to tell if there was a hole in the dirt hole didn't erase so that's kind of weird that raises a
lot of questions we have recently have here we potentially can have here two things that indicates should indicate the same state we have the flag of the array which is there has no missing values flag and we have the content of the array which we've seen before and is
the FFF constant so if we can what what
happens with if they're if they're like mismatched what if what happens when if we can if we can do that yet they has no missing values to be set to true and therefore says that we don't have any holes but we actually have a missing value in the array also we mix with some sort of mixed data and metadata together because if the
constant is being used in a control flow that could be that could be interesting for us see if we can fake it and it actually is very interesting and we can it turns out that we can actually fake a missing value and this was if all
nobility find by lucky heart and soul in my bed and got CVE for it so basically what they did is they faked a missing value by putting the constant we've just seen before into a float array so we could beforehand the value was not the same one that we've seen and it was something that you could actually represent as a valid float number so you could actually put that in and this could be turned to a vulnerability now this was mitigated in a few ways and it the constant changed so you couldn't represent as is and what how also happen is they added a few more checks to harden to harden things so we'll talk about how this can be turned into it this weird state can be turned into vulnerability and we care and how we can actually exploit it but before that we actually want to talk about something interesting so as I just said the the exploit the vote the vulnerability so my bad and long here I found was in native float array so apparently JavaScript arrays don't store floats as native as actual floats they first do something called boxing so they first XOR these values with this constant you can see here so before you put the float into the array this value is being XOR with the flows you're trying to put in so the questions that comes up next is whether we can actually have missing values in javascript array and if so does the constant change because as we see here we change the way we represent values and therefore we can represent new values so theoretically we should be able that eclis the engine should change the constant otherwise we could potentially get there and actually represent it and it turns out that the constant does not change therefore we can actually represent it by first boxing it so what we did is we first boxed it and sort the constant with the FFF we've just seen here so that that that in turn gives us the ability to have the constant as the original constant value while you're wondering because this property of XOR so when you have XOR of three elements and two of them are the same then they cancel out and they give you the first the other one so if we have two of them to be the if you have two of them to be the this value so and they want of them to be the magic value what happens is we actually get in turn the magic value and therefore we actually can represent it and this is exactly the vulnerability I found it which is truly truly have heavily relies on the fact we have basic understanding of JavaScript engines this boxing is one of the first things we learn when we learn about JavaScript engines so we use this idea of boxing things and turned in supposedly unexploited state to be a vulnerability so basically what we did is as you can see here we first box it and then we put it into an array that has that is a JavaScript array and not a floater II so how do we turn this one this weird state into a vulnerability so when what what happens
first thing we need to understand is how vulnerabilities look like so JIT stands
for just-in-time as I already explained bugs are usually what we see today are usually top infusions so type infusions are essentially confusion between two types that the the the program thinks something is of one type but actually over other type so you're talking through the most common ones are due to side effects now side effects are some things that take place in the JTED code now did that code I refer to the machine code that is emitted when the JIT compiler compiles the hot function so in our case in the usual case I mean what happens is you have some function let's call it foo which changes a type of some some object let's let's think of it as an array and then the function that got doesn't know about this conversion so he thinks that everything's still the same and nothing has changed so it's gonna work with it as as if we as if as it did before and this leads to attack of fission so let's look at an example so first thing we do
when we have such vulnerability is we make the function hot as I explained before to make the function be compiled into machine code we first has to make it hot we do that by calling the function a lot of times and this is this can be done by a simple loop and the next thing okay so also it's important to to say that JIT the JIT compiler has a lot of assumptions these assumptions are on some types on some things that take place during the execution of the function so for instance when we call foo and it thinks that food doesn't do anything it knows that it doesn't need to check things again because if food doesn't change any state of the program why would we check something again because that would make the function way more slower and JIT compilers are all about making things faster so it has a lot of assumptions that are there to improve performance so once we do that and we have something that breaks the assumption we can we can eventually get to a weird states where states and from there we can turn this into a phone bill
T so in this case once we call the function and we make it completely compiled into machine code and we actually call the function again but this time we want to trigger the type confusion so what happens here is who
will change the type of the array and therefore the assumption that food doesn't change anything breaks that this gives us the ability to to have the JIT compiler think that nothing happened but we actually change something this is very important because JIT compiler bugs are very complex sometimes and this one is not too complex what happens here we essentially made the way digit compilers for yet dot to not know about the the conversion that happened so if foo converts array to a JavaScript array something happened but the JIT compiler doesn't know about it so it's very crucial to understand that and the assumption essentially break because we change something in the function that we called so this is basically about your type confusions we have we essentially have some function to make it hot and then we have another function which gets
gets emitted to machine code and in that function we call some other function which will have side effects side effects are things that the JIT compiler is not aware of so let's actually move on to my vulnerability so to turn the
the mismatch between the flags if you remember we had a flag that indicates that has no missing values and we also had the array content so once we have the mismatch and we actually managed to fake a missing value to turn that into a vulnerability its quite interesting so the way lucky heart and so my bed did that was basically through calling this function concat which had an ass which relied on has no missing values and also relied on the content of the array this allowed the mismatch to be to to get us the into a weird States which shouldn't happen because in normal case why would we have the the missing values and the content of the array to have not met a mismatch between them so in our
case in in locking hearts case they got the array flags tag they got the red flags to be mismatched with the content of the array and they called concat now the way concat was called was once we make a fake array let's call it buggy
and the buggy has a fake missing value in it but the flag that indicates if there are any missing values is not set to true so we set this fake array and we call concat with it now the first thing that happens when we call concat is we get to dis code now this is the part
with that where we are after a lot of code now bear with me it's not too hard
it's just a lot of code so first thing we get is we get to this function this function essentially is called concat args and a item in this case is the fake irate the buggy we have it's called we invoke is fill from photo types and we would essentially want fill phone prototypes to return false in order to get into that if statement now is throw
from prototypes essentially checks the following things first thing it checks is that there is only one segment in the array and that check is through the fact that it checks that the next the next segment of the header hat segment is null and the another thing that they
checks is that the length of the array is equal to the length of the segment therefore this segment is the only segment in the array so these are the first this is the first thing that it checks and the second thing that it checks is that the flag has no missing values is set to true now this can be easily bypassed because we've already seen that we can fake and missing value and set the flag to true by doing that we can actually get as well from prototypes to return false and we can actually successfully get and get into the if-statement next thing we reach is
this elf statement which calls copyright elements with our array as an argument as you can see it's the PRM array what's first copy of our elements is
essentially copying an internal function and which does the following now this
part is very it's very interesting for us so first thing that happens is they make an enumerator out of the array enumerator will enumerate every single
element in the array and will increase the counter one every time is it engages in you element now let's see how this enumerator is actually implemented so this is a code for the move next function and as we can see on the red
box when we encounter an a value that is actually a missing value we actually skip it so what happened here is that every time we got into the sorry every
time we got into the while loop and there was a missing value it's kept it there for the count that we had there is
not equal to the amount of elements in the array this is because every time when we get we find a missing value it doesn't increase the counter and therefore we can actually get into this safe statement and call internal fill from prototypes now this also is a very
interesting function for us because it basically first thing it does is loop through the prototype chain now if you remember the prototype chain is basically if a prototype is basically some object that we inherit features
from so we can have our prototype to have another prototype and therefore we Forge a prototype chain so this thing this function first loops through the prototype chain and then what it does it called it calls this long function name with our prototype as an argument so if you remember prototype is actually directly converted into a JavaScript array when assigning a prototype remember from the converting slide so essentially what happens here it know is that the prototypes should know that the photo type is a JavaScript array and we loop through it so every time we get in here what happens is the prototype is being passed through the object argument and is then converted to a JavaScript array through the ensure non-native array so as you can yes infinity very basically ensures the array is not of a negative type therefore it's a JavaScript array and this is the interesting part for us so what we've seen so far is so to quick
recap okay so what will happen so far is we managed to get concat to convert some array into a JavaScript array and there is nothing that indicates this conversion it's important to know that once we fake in a missing value and we call the prototype we call the concat that all of the prototype chain is being converted to JavaScript array now as we've seen before prototypes in the prototype chain are not native types so we shouldn't be able to put there any type because it should be JavaScript array so it turns out that we actually
can do that so remember proxy proxy can wrap a an existing functionality and redefine its functionality in our case we can and it's pretty fun that we can
do that is we can redefine the functionality of get prototype so what this allows us is whenever we call yet prototype we redefine a behavior so remember that prototype chain so what we do here is basically we redefine this prototype chain loop and by doing so we allow us to return to call an arbitrary function now if we call an arbitrary function of our choice for example in any function what happens is the the JIT compiler checks if this function is marked as having side effects or not if the function is marked as having side effects the whole function that got jetted is marked as having side effects and it's not good for us because we don't want the JIT compiler to know that some side effect to place because we wanted to get a target fusion so what we do is we use an existing function which is called value off and is marked as not having side effects this basically allows us to return any object in the type chain by calling yet prototype so let's see an example for that this is
the proof of concept code and we'll go through every single part of it and I'll explain everything so first thing we do as I explained before we loop through the tail we loop through this first loop to make the function hot and therefore yet it gets compiled to machine code next thing we do is really fine to erase buggy array which is going to be the array we fake a missing value inside of it and an array which is called error and is going to be our target for attack confusion now it's important to notice that the target which will be converted to a JavaScript array is not buggy its array so notice that next thing we do is we really find that yet prototype off so
yet prototype off is basically the get prototype function and by doing by calling by redefining it to be value of whenever the function get prototype is called on aor we redefine if the implementation and get it to return the error itself this allows us to return error whenever get prototype is called this is huge because if we define a proxy what happens is we essentially made the yet for the type loop to return us a javascript native float array so if you notice on the line before whenever
get prototype is called we call value off and if we loop through the polar
type chain and value off is the get prototype the return the return value is going to be error which is a javascript native float array as you can see here
this allows us to event essentially have a native float array even though there shouldn't be any of those in the prototype chain next thing we do is we redefine we define the missing value constant and by doing so we still have there has no missing values flag for buggy set to true this is the interesting part because this is where the mismatch takes place so we have a missing value but we don't have the flag set to true so the next thing we do is we call the JTED function so this is the the key part here so when we call this function what happens is this function
is this code is being granted so first thing we do is read the find the temporary and we define the first element of the array object the array array to be a a float this makes the JIT know that whenever it gives us array and no conversions happened it still thinks it's a JavaScript filtering and then we call the temp we call the concat function and we give it the buggy as an argument this will essentially loop through all of the prototype chain and one of the prototype in the prototype chain is the proxy as we can see here and when we call the neck the get prototype for the proxy we get the ARR and when we call the get prototype for the mr we get wait sorry when we get we call the prototype for the buggy we get proxy when we go we can only get for the time for the proxy we invoke the get prototype for ARR which will return us the ARR and therefore what happens is AR is converted to a JavaScript array whenever the prototype chain loop takes place afterwards in the last line of the JIT function we basically write some value into the array and therefore make write a float into some array that was converted to JavaScript a float JavaScript array so array is the same array that is in a prototype chain and therefore we still overwrite we overwrite some pointers with a float which in our case is 1 2 3 4 so last
thing we do is call console.log and we crash because we have a object which is defined for this address and it's not mapped so this is essentially the proof-of-concept code and what we do here is fairly simple with first thing we do is we make a function hot and by doing so we make it can't be compiled into machine code next thing we do is we
redefine the the behavior of the yet prototype function and we allow it to return an arbitrary object whenever we call yet prototype then we invoke the jet would then we fake a missing value and we call the jet digital function which in turn allows us to convert in all of the prototype chain to be some JavaScript arrays now even though one of most of them are JavaScript arrays one of them the array one is not because we redefined that the implementation forget prototype this in terms allow this in turn allows us to have a JavaScript float array convert it to a JavaScript array and we can still act with it still operate with it as if
it were a JavaScript float array and therefore the last line here allows us
to write a point in number as a pointer and therefore we have what we call in the beginning a type confusion so we essentially had a type confusion between
a float and a pointer because the jet did not understand that some conversion took place now this is essentially the bug and to exploit it we actually had to
do a few things so first thing we did was we targeted a fake object primitive
now what is the fake off derivative this thing we've just seen was that we faked an object at an arbitrary address in our case it was faked in the Attis one two three four as seen
here but the thing is we actually can fake an object at an arbitrary address the object we decided to fake was a date of your object which has some fields of it which are a pointer you can read from and write to this in terms gives us a readwrite primitive and from there what we did was to use a known trick which is to find a stack address and override it to run to execute our code in Rob so to do all that we used a great level which is called pond Jes and we used that we had to fix a few things but it it did most of the work what it did was basically do what we explained we it it requires us to have a readwrite primitive and then what it does is to scan the the program to find a stack pointer from there it overwrites the stack with whatever we want because we got an arbitrary readwrite primitive and then what happens is we can execute code in Rob now we first exploited it on edge
but to actually execute our own code what - sorry well when we actually execute our own code we we executed it in the sandbox context so which wasn't any nice for a demo because it would not allow us to pop a calculator or something but so what we did was we actually compiled chakra core for Linux and we exploited it for Linux the exploit for Linux was similar because we still overwrite this overall the stack with some things we controlled as we had a read/write primitive and from there we basically executed code and Rob so that's basically what we did to get a POC a crashing proof of concept to actually execute our own code so
let's see a demo for that let's hope it actually works one second sorry second
Oh No
so let's let's hope everything works so basically this we have chopped record compiled for Linux and this is how it looks like so to execute it we actually have to give it a source file so in our case we'll give it an exploit and our exploit so notice this is going to be very fast to exploit because chakra is super fast and it has super optimizations because why not so it's going to be super fast so beware and therefore we have okay we have a shell so to prove them we actually got code execution let's draw rest let's run a calculator oops oops and we have a child
who later as well so we actually can actually execute code and everything works as expected so a few things about let's get back to this talk oops wait no sorry so what we've seen here sorry what
we've seen here was basically we had some code we okay so the demo shows us a very simple thing we first did what we did in a proof of concept we got the JIT compiler to not be to not be Newton to not know that some side-effect took place this side effect in our case was some conversion that allowed us to convert some array into JavaScript array and then in turn allows us to write floats as poor as pointers and this basically gave us a top confusion primitive which we exploited by having by faking an object which gives us a read/write primitive and therefore we continue to write our code and Rob so I
really hope that my talk was helpful for so for those of you who want to get into security research and I hope it was entertaining for those of you just one to hear about the technical stuff and I want to thank everyone who helped me out
with the talk and with the slides and
for you to come for you for coming here and seeing my talk I know there's a great competition and there's way cool talks probably but you still came to mine so thank you for that and yeah thanks for coming
Jonathan do we have some time for questions yeah okay was it the first talk you have for such a big audience yeah I never thought for Christ's sake that was good [Music]
we have a couple of microphones over
here so if you have questions for John ISM please line up over there and shoot the questions we could start with one from the internet do we have one oh okay don't we have any questions over here people are get where's here number five here we go so thank you for the excellent talk I was surprised to see that the JavaScript engine for ads was open source so is
this something that they're moving towards more open source components I think that the open sourcing is cool but I don't know how actually how the future will will be and if we'll open source more things actually don't know then we continue with microphone number two hey thanks for your very interesting talk so obviously JIT compilers appertained of the subject so my question is when you get started with all this how much prior domain knowledge of did compilers and language 1 times that you have and when you then go to chapter call how much you have to just read through the whole thing before you could actually start looking for vulnerability in there so what I did was when I started to get into chakra I read a lot of reports and I I've seen that there's plenty of vulnerabilities there so I read most not every one of them but I read a lot of them and I tried to understand what they do and why they exist and this is basically what got me into looking for my own bug as well so basically I had understanding of JavaScript engines in general and then I read about how chakra works and read about one specific vulnerabilities in chakra and over to microphone one please you mentioned the
process in Windows servants in a sandbox so you weren't able to out later which this exploit in the wild or is there a way this could be dangerous even in the
sandbox so to actually execute your arbitrary code you have 2x Kate's escape the sandbox there's things you can do with the sandbox but they're pretty limited I didn't exploit I didn't find a sandbox escape yet I hope I will find one day but to actually execute interesting stuff you need to do a sandbox escape because there's plenty of mitigations nowadays and specifically for edge does a lot and I don't know specifically if you could do anything you could do anything interesting without a sandbox escape but you could actually run code so you could do it you could do stuff I'm not sure if it's interesting enough to to to actually do something in the wild and over to microphone number two a
great research and how much time did you walk on it so I
worked on chakra for about I think from July I think I when I started I started reading about chakra in July but I had to understand I had some knowledge about JavaScript engines before for about like two two months I think so not not for I mean the more important part for me was to actually read about examples and see examples more than spending a lot of time on it like I think it comes with practice as I explained before what I do believe in is practice and my practice was through reading a lot of research and a lot of internal stuff about chakra so it's about I think from July and but maybe two months before all right
nobody's queueing up on the microphones or have I over seen someone Jonathan who excellent thank that's it that's your clause
that was Jonathan Jade from zero to zero day thank you very much [Music] [Music]
Feedback