Explore the security landscape of WebKit, a widely-used web rendering engine, in this 33-minute Black Hat conference talk. Delve into the challenges and possibilities of exploiting WebKit-based applications across various platforms, including Windows, Mac OS X, iOS, and Android. Learn about the security improvements implemented by major tech companies and how they have increased the difficulty of successful exploitations. Examine two detailed exploit demonstrations, including a remote code execution on x64 Safari and techniques applicable to mobile applications. Gain insights into advanced exploit techniques, vulnerability details, and recommendations for enhancing the security of WebKit-based applications. Understand key concepts such as memory corruption, heap arena internals, garbage collection mechanisms, ASLR on Mac OSX, sandbox architecture, and exploitation strategies.
Overview
Syllabus
Intro
Background
Historical issues
Memory Corruption
Heap Arena
RenderArena internals
RenderArena enhancement
GC mechanism
Trigger GC: Workaround
ASLR on Mac OSX
Sandbox architecture
Native 64bit App
CVE-2014-1303 : Vulnerability
Restrictive 1-bit write
Exploit : What to overwrite?
Typed Array Internals
Exploitation : Overall strategy
Exploitation : JS Controlled Free
Exploitation : ROPs are for the 99%
Summary of WebKit exploitation
Taught by
Black Hat
