The Most Secure Browser? Pwning Chrome from 2016 to 2019

Conference:  BlackHat USA 2019



The presentation discusses the difficulty of exploiting Chrome OS and the use of mutation-based fuzzing to find vulnerabilities in V8 JavaScript engine.
  • Chrome OS is difficult to exploit due to clone control flow integrity and thread pool for handling IPC messages
  • Renderer command prefix can be used to control the command line of the child process
  • Miss Q structure can be used for command line injection
  • Mutation-based fuzzing is effective in finding vulnerabilities in V8 JavaScript engine
The speaker mentions a bug found in the V8 engine that was too easy to audit and caused nervousness. They also discuss the importance of believing in hidden stars in the searching space when trying to find vulnerabilities.


Browser security is always a prevalent topic in security research. Due to the great design and long-term effort, browsers have been more and more secure. The last time Chrome was pwned in Pwn2Own dates back to Mobile Pwn2Own 2016. In that contest, we, Keen Security Lab of Tencent, pwned Nexus 6P via Chrome browser. This year, we are willing to share our full, in-depth details on the research of Chrome security.JavaScript engines are an attractive target for browser attackers. Security researchers published their amazing methods, such as CodeAlchemist and Fuzzili. We developed a methodology Semantic Equivalent Transform (SET), and it is distinct becauseSimple. SET is inherently immune to grammar and semantic errors, so we don't need to write a lot of analysis code.Effective. We've found 8 pwn2own-available v8 bugs using it in the past three years.Versatile. There are many scenarios where SET can play a role.We will then share novel exploitation techniques we used in Pwn2Own. For instance, although most researchers have realized JIT is a good target for bug hunting, few people notice JIT could also be used to do exploitation. We will show how we used some general JIT fragments to exploit low-quality bugs. After that, we will share other interesting cases and our latest bug. Finally, we'll share our recent research on sandbox bypass. We have pwned Chrome three times since 2016. We will share the details of our IPC bugs and bring a demo when we pwned Chrome in March 2019.To the best of our knowledge, this presentation will be the first to talk about complete methodology to pwn Chrome (find and exploit bugs in both v8 and sandbox) in public.