Tackling Privilege Escalation with Offense and Defense

The presentation discusses the use of datalog analysis to improve JavaScript engine security and the trade-offs between soundness and usefulness in static analysis.

• Datalog analysis can be used to efficiently address vulnerabilities in JavaScript engines
• Post-analysis can provide more information than abstract analysis alone
• Combining points-to analysis and flow analysis can provide more powerful security rules
• Soundness is not necessary for static analysis to be useful
• Trade-offs must be made between soundness and usefulness in static analysis
• Incremental decorative specification is a useful approach to limiting problems in JavaScript APIs
• API restrictions in Acrobat can still be bypassed
• Adding more features to an application can increase its attack surface

The speaker mentions that during their PhD, they attempted to prove the correctness of code, but found it to be super hard and impossible to do. They emphasize the need to make trade-offs and adjust soundness in a certain way.

Over the past couple of years, various JavaScript APIs have been closely examined by security researchers. They've been audited and fuzzed thoroughly for classic memory corruption issues like buffer overflows, use-after-frees, and type confusions. Nevertheless, there's an interesting class of vulnerabilities that requires manual auditing rather than fuzzing. This class of bugs surfaced back in 2015, and researchers discovered how to exploit it to allow them to bypass built-in security restrictions within the JavaScript engine. Chaining these privilege escalations with undocumented features in Adobe Reader enabled reliable arbitrary code execution. When one bypass was patched, researchers would discover new and innovative ways to circumvent the restrictions. To make matters worse, leveraging these JavaScript API restriction bypasses opened the door to numerous memory corruption issues that existed in the less audited security-relevant JavaScript APIs. Even with sandbox protection an untrusted document executing JavaScript code in the privileged context provides avenues for abuse. Efforts on both the offensive and defensive side of the field were kicked off to combat this class of issues. This presentation will focus on the efforts to combat this class of vulnerabilities which leveraged the exploitation expertise of the researchers along with the knowledge of engineers to implement mitigations against the rising tide of these weaknesses. On the offensive side, researchers thoroughly analyzed the ways in which JavaScript APIs can be abused to elevate execution from unprivileged into privileged context. On the defensive side, engineers leveraged instances of privilege escalations to devise methods that interprets each escalation in the context of general security invariant violations. The security invariants can be described and understood through a formal framework of information flow security properties. We will describe some of the surprising discoveries by researchers submitting to the Zero Day Initiative program, which were used to verify the application hardening as it occurred. Over the years, this multi-pronged approach eliminated a large set of vulnerabilities resident in a security model implemented in a JavaScript engine.