2014_EN_BrowserFuzzing_RosarioValotta

Recommendations

Info

Host - engine interactions • Communication between the host and the script engine is carried on using a pair of interfaces : IActiveScript and IActiveScriptSite • IActiveScriptSite is implemented on the host side and enables the js engine to call its host IDispatch IE 9+ IActiveScriptSite • IActiveScript, implemented on the script engine side, provides necessary function calls to initialize the engine IDispatch Jscript9.dll IActiveScript • IActiveScript also includes the API AddNamedItem used by the host to add objects to engine’s global scope. IE uses this function to add Window and other DOM objects into the engine • Idispatch interface is implemented on both sides and is used to retrieve handles of objects and execute get, set and function calls operations on them
Cross engines interactions • When a Jscript.Encode script is found, IE9 hosts both Jscript9 and Jscript engines at runtime and both engines can talk to the other one • When an engine wants to interact with an object of the other engine, IE needs to marshal object and pass it back to the requesting engine • So any communication between Jscript9 and Jscript engine needs go through IE using IDispatch interface 1. Jscript use IDispatch IF of the host to request an object in jscript9 space 2. Host use IDispatch IF of JSCRIPT9 to marshal a reference of the object 3. Host unmarshal reference and returns it to jscript IE 9+ IDispatch Marshalled Object Reference IDispatch Jscript.dll IActiveScript IDispatch Jscript9.dll IActiveScript Unmarshalled Object Reference Object
Page 1 and 2: BROWSER FUZZING IN 2014: David vs G
Page 3 and 4: 你好 ! • Hi beijing! I am rosa
Page 5 and 6: Vulnerabilities market Providers Bu
Page 7 and 8: Memory corruption vulns: a primer
Page 9 and 10: Usual Targets for Browser fuzzing R
Page 11 and 12: DOM fuzzing • DOM has a complex d
Page 13 and 14: Stone #1 - Fuzzing/with/TIME
Page 15 and 16: • browsers are event-driven JS ti
Page 17 and 18: • Event objects are dispatched to
Page 19 and 20: Fuzzing with events setTimeout(fn,0
Page 21 and 22: FUZZing with XHR (2/2) Similar cons
Page 23 and 24: …the other side of the party •
Page 25 and 26: Stone #2 - Fuzzing/with/space
Page 27: Using legacy engines • By default
Page 31 and 32: Introducing fileja • A prototype
Page 33 and 34: SOME RESULTS #1 Registers: EAX = 0x
Page 35 and 36: SOME RESULTS #3 Registers: EAX = 0x
Page 37 and 38: Registers: EAX = 0x00454545 - EBX =
Page 39 and 40: SOME RESULTS #7 Caught a Write Acce
Page 41 and 42: SOME RESULTS #9 Caught a Read Acces
Page 43: Thankyou 谢谢

2014_EN_BrowserFuzzing_RosarioValotta

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?