Browser Security Beyond SandboxingJORDAN RABET, MICROSOFT OSR

Who am I

Computer Science, Applied Math, AI, CV

Formerly

Presently

OSRExploit things, Mitigate things

jorab@microsoft.com

@smealum

What I’m going to talk about

Browser Security Beyond Sandboxing…?

Live demo halfway through!

A difference in security strategy

- Justin Schuh, Chrome security lead

The result: a strong sandbox…

Renderer process

#0

Renderer process

#1Renderer process

#...GPU process

PPAPI processBrowser process

The result: …and a soft RCE target

Finding a bug: fuzzing!Ran a JavaScript fuzzer written by the Chakra team…

…using a fuzzing harness put together by the Security Assurance team…

…on Azure!

=> got an exploitable bug after less than a day of fuzzing

Figuring out the bugvar func0 = function(f)

{

var o =

{

a: {},

b:

{

ba: { baa: 1.2, bab: [] },

bb: {},

bc: { bca: { bcaa: 0, bcab: 0, bcac: this } },

}

};

o.b.bc.bca.bcab = 0;

o.b.bb.bba = Object.toString(o.b.ba.bab);

};

while(true) func0()

Object.toString(o.b.ba.bab)

Object.toString(o.b.ba.bab)

while(true)

var o = { a: {}, b: {...} }b: { ba: {...}, bb: {}, bc: {...} }

ba: { baa: 1.2, bab: [] }

o.b.ba.bab

Object.toString(o.b.ba.bab)

o.b.ba.bab

Object.toString(o.b.ba.bab)

b: { ba: {...},

bb: {},

bc: {...}

}

Bug modifier #1: attribute type

Bug modifier #2: attribute offset

Bug modifier #3: local variable spray

Resulting bug capabilities

Type being sprayed Type being loaded Result

JavaScript object Double value Infoleak

Double value Double value Arbitrary read primitive

Double value JavaScript object Arbitrary JavaScript object manufacturing

Achieving code executionWe can manufacture arbitrary JavaScript objects

Create a fake ArrayBuffer object and use that to read/write arbitrary memory

Use read/write to load a overwrite RWX code…

Recap so far

Renderer process

#0

Renderer process

#1Renderer process

#...GPU process

PPAPI processBrowser process

WE ARE HERE

DEMO TIME

Multiple origins in the same process

“Immortal” pop-undersUser interaction checks are renderer-side

window.onbeforeunload

JS backdoor for advanced shenanigans

UXSS

AftermathBug was reported to Google

Bug was fixed by disabling old escape analysis implementation in just 4 days!

Fix made it to stable channel 3 days later

=> Impressive response time and agility from Google

Servicing procedureSecurity bug fixes are published before they make it into official builds

Fixes often come with regression tests, giving a PoC

Lack of RCE mitigations makes many bugs easy to exploit

The fix didn’t ship to stable channel Chrome until 30 days later

=> Google regularly 0-days itself, which is not great

Site isolation

ConclusionBrowser RCE is still a serious threat

How bugs are serviced matters

Thank you for your time!CONTACT: JORAB@MICROSOFT.COM

@smealum