2014_EN_BrowserFuzzing_RosarioValotta

Recommendations

Info

Threat model • Any engine has no knowledge of the status of objects created in other engines contexts • objects could be deleted on the other engine or the whole other engine context could has been deleted • It is a host responsibility to maintain consistency among objects and objects references in different scripting contexts • To trigger memory corruption the Strategy is to use a classic dom fuzzing approach but all crawling-tweaking and mutating operations are performed cross-engine Use Several namespaces Also ON elements on collections OP<strong>EN</strong> Parent window Jscript9.dll Create random elements Tweak elements attribute s Collect element reference Perform random mutations on DOM Trigger GC Crawl DOM reference Use Several namespaces Also ON elements on collections Child window (ofiframe) Jscript.dll Create random elements Tweak elements attribute s Collect element reference Perform random mutations on DOM Trigger GC Crawl DOM reference
Introducing fileja • A prototype combining a traditional dom fuzzing approach with time events and cross engines fuzzing • Written in javascript & Nodejs • tested on grinder framework but totally agnostic from fuzzing framework • completely general technique: Not bound to specific apis, but a plug-in approach to any existing fuzzer Your fuzzer Your fuzzer Your fuzzer + Events/ network calls Cross engine = Increase d fuzzing surface • Applied on nduja-like fuzzer • Two months of full time testing on my PC with a couple of win7 vms mainly on ie11 and chrome • 4 exploitable bugs found in the first week, 5 more in the following months
Page 1 and 2: BROWSER FUZZING IN 2014: David vs G
Page 3 and 4: 你好 ! • Hi beijing! I am rosa
Page 5 and 6: Vulnerabilities market Providers Bu
Page 7 and 8: Memory corruption vulns: a primer
Page 9 and 10: Usual Targets for Browser fuzzing R
Page 11 and 12: DOM fuzzing • DOM has a complex d
Page 13 and 14: Stone #1 - Fuzzing/with/TIME
Page 15 and 16: • browsers are event-driven JS ti
Page 17 and 18: • Event objects are dispatched to
Page 19 and 20: Fuzzing with events setTimeout(fn,0
Page 21 and 22: FUZZing with XHR (2/2) Similar cons
Page 23 and 24: …the other side of the party •
Page 25 and 26: Stone #2 - Fuzzing/with/space
Page 27 and 28: Using legacy engines • By default
Page 29: Cross engines interactions • When
Page 33 and 34: SOME RESULTS #1 Registers: EAX = 0x
Page 35 and 36: SOME RESULTS #3 Registers: EAX = 0x
Page 37 and 38: Registers: EAX = 0x00454545 - EBX =
Page 39 and 40: SOME RESULTS #7 Caught a Write Acce
Page 41 and 42: SOME RESULTS #9 Caught a Read Acces
Page 43: Thankyou 谢谢

2014_EN_BrowserFuzzing_RosarioValotta

Create successful ePaper yourself

Delete template?

Save as template?