About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Use-after-freedom: MiraclePtr - 1216

Google - MiraclePtrPosted 2 Years Ago
  • Half of the exploitable bugs in Chrome were use after frees (UAF). Killing this bug class with mitigations would save a lot of exploitable 0-days.
  • The Chrome browser runs in a sandbox. Compromising the render is the easy part and there is not much gain from doing this. The sandbox is the hard part to exploit. It has less ways to interact with it and is scoped down in terms of attack surface.
  • We only care if an attacker can escape this process and not the renderer itself. So, the idea is to reduce the attack surface of the browser process in order to make exploitation harder. How? Miracle pointers.
  • The goal is to rewrite the code base with MiraclePtr instead of standard pointers. The algorithm works just like reference counting under the hood for each pointer.
  • The main difference is that when the memory does not have any references, the PartitionAlloc allocator will quarantine the memory region before releasing it. Additionally, they set the pointer with garbage memory so that a UAF would not be very useful.
  • The authors of this post rewrote 15K raw pointers. Although this is not all pointers, it will reduce the attack surface drastically. Additionally, they hope to move this into more parts of the code base too. Overall, this is a super interesting mitigation method in software for memory corruption bugs.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed