Put in One Bug and Pop Out More: An Effective Way of Bug Hunting in Chrome

The presentation discusses an effective way of bug hunting in Chrome by discovering new vulnerabilities based on historical vulnerabilities. The focus is on finding common bug patterns and using variant analysis to adjust and refine the pattern to discover new bugs distinct from the originals. The presentation also shares an anecdote about how they exploited one of the bugs to escape the Chrome sandbox in the Tianfu Cup 2020 Cybersecurity Contest.

• Bug hunting is the main content of the speaker's work as a security researcher
• Variant analysis is an effective way of discovering new vulnerabilities based on historical vulnerabilities
• Chrome uses a multi-process architecture which isolates different processes from each other with sandbox
• The presentation focuses on the code that runs in the browser process which means it is on sandbox
• Weak pointers are useful when an object needs to be accessed only if it exists and the managed object may be deleted at any time by someone else
• The LLVM compiler optimized out the branch which get method would return non-pointer as a result, which could convert a non-point dereference crash to an exploitable use after free bug
• The presentation shares an anecdote about how they exploited one of the bugs to escape the Chrome sandbox in the Tianfu Cup 2020 Cybersecurity Contest

The presentation shares how they discovered an unusual pattern called weak ptr optimization and how they exploited one of the bugs to escape the Chrome sandbox in the Tianfu Cup 2020 Cybersecurity Contest. Weak pointers are useful when an object needs to be accessed only if it exists and the managed object may be deleted at any time by someone else. The LLVM compiler optimized out the branch which get method would return non-pointer as a result, which could convert a non-point dereference crash to an exploitable use after free bug. They successfully exploited one of the bugs to escape the Chrome sandbox in the Tianfu Cup 2020 Cybersecurity Contest.

Bugs are rarely unique. Software with a growing system size typically involves multiple teams responsible for the development of numerous features. Considering the complexity of the codebase, there is a high probability that bugs shared with similar code patterns may exist in many places throughout the codebase. In this presentation, we take Chrome as an example to present how to discover new vulnerabilities based on historical vulnerabilities. We will introduce several types of code patterns that are prone to be vulnerable in Chrome, from the shallower to the deeper. For each pattern, we will describe it in detail by summarizing from some classic bugs, and present not only the basic workflow of finding similar bugs but also the approach to adjust and refine the pattern to discover new bugs distinct from the originals. We finally found 24 vulnerabilities and got 11 CVEs in Chrome through those patterns. At last, we will detail how to exploit one of them which we used to escape the Chrome sandbox in the Tianfu Cup 2020 Cybersecurity Contest, and this is the first time winning the Chrome category with sandbox escape in the public contest since 2015.