Explore the intricacies of WebGL exploitation in this comprehensive conference talk from HITB2018DXB. Dive deep into the world of Glitch attacks, understanding attacker primitives and DRAM organization. Learn about address translation, eviction-based Rowhammer attacks, and GPU architecture. Discover how texture sampling and fast memory access play crucial roles in DRAM exploitation. Examine WebGL-based timers and contiguous memory detection techniques. Uncover the potential of JavaScript arrays, IEEE-754 floating-point numbers, and type flipping for exploitation. Master arbitrary read/write techniques and gain insights into the broader implications of these vulnerabilities. Conclude with a thorough recap and key takeaways for enhancing web security.
Overview
Syllabus
Introducción
Glitch: what?
Attacker primitives
DRAM: organization
Address translation: THPS
#P2. Eviction-based Rowhammer: arm
Attack Vector
GPU: The rendering pipeline
#P1. GPU: The architecture
#P1. DRAM access: texture sampling
Fast memory access
Eviction-based Rowhammer: GPU
Memory Allocation
DRAM Reads: recap
#P3. Contiguous Memory: Detection
#P3. WebGL-based timers
Glitch: in a nutshell
Exploitation: JS Arrays
IEEE-754 floating point (double)
Exploitation: Type Flipping
Exploitation: Arbitrary R/W
Exploitation: Arbitrary read
Exploitation: Recap
Conclusions
Taught by
Hack In The Box Security Conference
