A large set of public V8 vulnerability PoCs.| zon8.re
Introduction The DFG (Data Flow Graph) and the FTL (Faster Than Light) are the two optimising compilers used by JavaScriptCore and have been the source of a number of JIT bugs that lead to type confusions, OOB (Out-Of-Bounds) access, information leaks, etc. Some of these have been successfully exploited as part of various Pwn2Own1 2 3 competitions targeting Safari. Part II examined the LLInt and Baseline JIT and explored how JavaScriptCore tiers up from one to the other and how the Baseline J...| zon8.re
Introduction This blog post continues from where we left off in Part III and will cover each DFG graph optimisation. The graph generated at the end of the bytecode parsing phase is passed through the DFG pipeline which optimises the graph before lowering it to machine code. DFG Optimisation phases add, remove and update nodes in the various blocks that make up the graph. The optimisation phases will also re-order nodes (via Hoisting or Sinking) within the same basic block.| zon8.re
Introduction This blog post concludes this review of the DFG with a discussion on the final two stages of the optimisation pipeline: Code generation and OSR. This post begins by examining how an optimised DFG graph is lowered to machine code and how one can inspect the generated machine code. Finally, the blog covers OSR Entry and OSR Exit to and from this optimised compiled code. Graph Compilation To begin exploring graph compilation, consider the following JavaScript program and the functio...| zon8.re
Introduction Historically, the LLInt and Baseline JIT haven’t been the source for may publicly disclosed security related bugs in JavaScriptCore but there are a few reasons why it felt necessary to dedicate an entire post solely to the LLInt and Baseline JIT. The main goal of this post and the blog series is to help researchers navigate the code base and to help speed up the analysis process when triaging bugs/crashes.| zon8.re
Introduction Fuzzing Webkit’s JavaScriptCore (JSC) with Fuzzilli proved to be quite successful and produced a fair number of crashes over time. However, once a crash was detected, triaging the crashes for exploitability took a fair bit of time due to unfamiliarity with the WebKit codebase and the lack of easily available documentation on navigating the codebase. This motivated the creation of this blog series to dig into the internals of JSC and hopefully be useful to others who wish to boo...| zon8.re
Regularly updated reading list for core concepts required to exploit browsers| zon8.re
Please start opening your eyes, if you have something that crashes, don’t just ignore it, don’t just click away… Take the time to look at what happened, if you surf to a page with your web browser and your web browser disappears, and you surf to the page again and your web browser crashes again, you want to know what this web page does… take a debugger and look at it, try to find out what happened.| zon8.re
Frequently updated reading list for core concepts required to exploit WebKit and JSC| zon8.re
Frequently updated reading list for V8 and Chrome architecture tailored for security researchers. [Updated 2022]| zon8.re