back

Attacking Chrome IPC

Reliably finding bugs to escape the Chrome sandbox

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:54:12
Language
English
Abstract
In this talk, I discuss how to reliably find bugs in the Chrome IPC system with the goal of escaping the sandbox. I show how to enumerate the attack surface, how to identify the weak areas, and how to fuzz those areas efficiently to consistently produce bugs.

Since the win32k lockdown on the Chrome renderer process, full chain Chrome exploits on Windows have become very rare, with the most recent successful competition exploit occurring in 2015.

By applying new fuzzing strategies, I was able to identify many vulnerabilities in the sandbox in the past year, one of which I used to demonstrate a full chain exploit at Hack2Win this year when combined with a teammate's RCE bug.

In this talk I hope to show how I found these bugs by using extremely targeted fuzzing in a way that was easy to setup but reliably had great results, and briefly cover how we leveraged one use after free bug to fully escape the sandbox.

Talk ID
9579
Event:
35c3
Day
3
Room
Eliza
Start
6:50 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
nedwill
Talk Slug & media link
35c3-9579-attacking_chrome_ipc

Talk & Speaker speed statistics

Very rough underestimation:
149.6 wpm
800.1 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
149.6 wpm
800.1 spm
bugessentiallychromebugsideathingspeoplefuzzingprocessipcstuffbrowserthingcodebasicallytalkappcachelookedtimefuzzerrendersandboxrequestc++findingobjectfuzznetworkprettyinterestingguessapiworkwritetestmessagesmessageservereasyyearshuntingstartedquestionneddaycouplehittriggerauditingfind