Browser Exploitation
Amy Burnett

Dates

10-13 February 2020

Capacity

18

Price

4.000€
(Early Bird 3.500€)

Introduction

Web browsers are among the most utilized consumer facing software products on the planet. As the ubiquitous gateway to the internet, browsers introduce significant risk to the integrity of personal computing devices. In the race to protect users while advancing web technology, premiere browsers have become increasingly complex targets to compromise. Over the course of this training, students will receive a thorough introduction to vulnerability research as it pertains to modern web browsers. This includes identifying, evaluating, and weaponizing the latest vulnerability patterns via the exploitation of several recently patched vulnerabilities. Through this, students will experience the end to end process of developing memory corruption based exploits against these high value targets. This course will focus specifically on Google Chrome and Apple Safari.

  • Learning Outcomes
    • Identify contemporary vulnerability patterns in web browsers 
    • Develop an understanding of target-specific exploit techniques 
    • Weaponize a diverse selection of real-world vulnerabilities 
    • Execute renderer-only attacks to hijack user sessions 
    • Clone, build, and debug properly versioned browser engines 
    • Become familiar with the architecture of modern web browsers 
    • Build an in-depth understanding of browser internals and JavaScript engines
  • Prerequisites
    • Familiar with modern exploitation subjects (DEP, ASLR, ROP) 
    • Working knowledge of C++ and JavaScript 
    • Some exposure to AMD64 assembly or low level systems 
    • Linux command line proficiency
  • Hardware
    • A Laptop capable of connecting to the internet (SSH, VNC)

Course agenda

  • 1. Browser Architecture (General, Chrome, Safari/Webkit)
    • Breaking down modern browser architectures, major components
    • Setting up a browser research environment, building, debugging
    • Interfacing with different components of the browser (DOM, JS)
    • Introduction to JavaScript engines
    • A deep-dive into JavaScript engine internals
    • Low-level JavaScript types and natives
  • 2. JavaScript Internals in Exploitation (General, V8, JSC)
    • Garbage collection implementations 
    • Current vulnerability patterns found in JS engines 
    • Introduction to exploit building blocks (Primitives) 
    • Leveraging JavaScript vulnerability classes 
    • Layering exploit primitives
  • 3. JavaScript JIT Compilers (General, V8) 
    • Overview of JavaScript JIT compiler pipelines 
    • Exploring JIT debugging tools 
    • Optimizations and typing 
    • Type cache and speculation 
    • JIT vulnerability classes, contemporary exploits
  • 4. JavaScript Exploit Engineering (General, V8, JSC)
    • Constructing arbitrary memory primitives 
    • Overwriting JIT structures and control flow hijacking 
    • Continuation of execution 
    • Bypassing browser-specific mitigations 
    • UXSS, SOP bypasses, and renderer-only attacks 
    • N-Day exploitation

Bio

Amy is a security researcher and co-founder of RET2 Systems, where she specializes in browser security and mitigation bypass. She has spoken about and previously lead trainings on advanced browser exploitation at private events and conferences. She and her team developed and publicly demonstrated a remote code exploit against Safari for Pwn2Own 2018, which also leveraged a macOS bug to gain root level code execution.

Limited Seats - Remember to reserve your ticket!

register now