35C3 - Attacking Chrome IPC

Title:
35C3 - Attacking Chrome IPC
Description:

https://media.ccc.de/v/35c3-9579-attacking_chrome_ipc

Reliably finding bugs to escape the Chrome sandbox

In this talk, I discuss how to reliably find bugs in the Chrome IPC system with the goal of escaping the sandbox. I show how to enumerate the attack surface, how to identify the weak areas, and how to fuzz those areas efficiently to consistently produce bugs.

Since the win32k lockdown on the Chrome renderer process, full chain Chrome exploits on Windows have become very rare, with the most recent successful competition exploit occurring in 2015.

By applying new fuzzing strategies, I was able to identify many vulnerabilities in the sandbox in the past year, one of which I used to demonstrate a full chain exploit at Hack2Win this year when combined with a teammate's RCE bug.

In this talk I hope to show how I found these bugs by using extremely targeted fuzzing in a way that was easy to setup but reliably had great results, and briefly cover how we leveraged one use after free bug to fully escape the sandbox.

nedwill

https://fahrplan.events.ccc.de/congress/2018/Fahrplan/events/9579.html

more » « less
Video Language:
English
Duration:
54:13
http://www.youtube.com/watch?v=39yPeiY808w
Format: Youtube
Primary
Original
Added   by C3Subtitles
Format: Youtube
Primary
Original
http://www.youtube.com/watch?v=LvfRbQs4sgc
Format: Youtube
Added   by C3Subtitles
Format: Youtube
This video is part of Amara Public.

Subtitles download

Completed subtitles (1)